commit: 277d210fe82228bfd80013cb630a385605f5e27f parent bb320fd495d22de3ac543fe2b95352fab2910616 Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me> Date: Mon, 14 Aug 2023 22:27:39 +0200 apparmor-profile upstream updateDiffstat:
75 files changed, 803 insertions(+), 99 deletions(-)diff --git a/abstractions/X b/abstractions/X@@ -17,6 +17,7 @@ # .ICEauthority files required for X authentication, per user owner @{HOME}/.ICEauthority r, + owner @{run}/user/*/ICEauthority r, # .Xauthority files required for X connections, per user owner @{HOME}/.Xauthority r, @@ -29,7 +30,7 @@ owner @{run}/user/*/xauth_* r, # the unix socket to use to connect to the display - /tmp/.X11-unix/* r, + /tmp/.X11-unix/* rw, unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), @@ -51,6 +52,8 @@ # Xcompose owner @{HOME}/.XCompose r, + /var/cache/libx11/compose/* r, + deny /var/cache/libx11/compose/* wlk, # mouse themes /etc/X11/cursors/ r,diff --git a/abstractions/apache2-common b/abstractions/apache2-common@@ -6,6 +6,10 @@ include <abstractions/nameservice> + # Allow other processes to read our /proc entries + ptrace (readby), + # Allow other processes to trace us by default + ptrace (tracedby), # Allow unconfined processes to send us signals by default signal (receive) peer=unconfined, # Allow apache to send us signals by defaultdiff --git a/abstractions/apparmor_api/is_enabled b/abstractions/apparmor_api/is_enabled@@ -15,5 +15,6 @@ abi <abi/3.0>, include <abstractions/apparmor_api/find_mountpoint> @{sys}/module/apparmor/parameters/enabled r, +@{sys}/module/apparmor/parameters/available r, # TODO: add alternate apparmorfs interface for enableddiff --git a/abstractions/audio b/abstractions/audio@@ -85,5 +85,8 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r, # wildmidi /etc/wildmidi/wildmidi.cfg r, +# pipewire +/usr/share/pipewire/client.conf r, + # Include additions to the abstraction include if exists <abstractions/audio.d>diff --git a/abstractions/authentication b/abstractions/authentication@@ -2,7 +2,7 @@ # # Copyright (C) 2002-2009 Novell/SUSE # Copyright (C) 2009-2012 Canonical Ltd -# Copyright (C) 2019 Christian Boltz +# Copyright (C) 2019-2021 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -36,6 +36,8 @@ # SuSE's pwdutils are different: @{etc_ro}/default/passwd r, @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/ r, + @{etc_ro}/login.defs.d/*.defs r, # nis include <abstractions/nis>diff --git a/abstractions/base b/abstractions/base@@ -12,6 +12,7 @@ abi <abi/3.0>, + include <abstractions/crypto> # (Note that the ldd profile has inlined this file; if you make # modifications here, please consider including them in the ldd @@ -35,8 +36,8 @@ /usr/share/locale-langpack/** r, /usr/share/locale/** r, /usr/share/**/locale/** r, - /usr/share/zoneinfo/ r, - /usr/share/zoneinfo/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, /usr/share/X11/locale/** r, @{run}/systemd/journal/dev-log w, # systemd native journal API (see sd_journal_print(4)) @@ -102,13 +103,11 @@ @{PROC}/cpuinfo r, @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, # glibc's *printf protections read the maps file @{PROC}/@{pid}/{maps,auxv,status} r, - # libgcrypt reads some flags from /proc - @{PROC}/sys/crypto/* r, - # some applications will display license information /usr/share/common-licenses/** r,diff --git a/abstractions/crypto b/abstractions/crypto@@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2021 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi <abi/3.0>, + + @{etc_ro}/gcrypt/hwf.deny r, + @{etc_ro}/gcrypt/random.conf r, + @{PROC}/sys/crypto/fips_enabled r, + + # libgcrypt reads some flags from /proc + @{PROC}/sys/crypto/* r, + + # crypto policies used by various libraries + /etc/crypto-policies/*/*.txt r, + /usr/share/crypto-policies/*/*.txt r, + + include if exists <abstractions/crypto.d>diff --git a/abstractions/exo-open b/abstractions/exo-open@@ -29,8 +29,8 @@ # include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-email> # -# # Add if accesibility access is considered as required -# # (for message boxe in case exo-open fails) +# # Add if accessibility access is considered as required +# # (for message box in case exo-open fails) # include <abstractions/dbus-accessibility> # # # < add additional allowed applications here > @@ -51,13 +51,6 @@ /{,usr/}bin/which rix, - # Deny DBus - - # for GTK error message dialog, not required exo-open to work. - deny dbus send - bus=session - path=/org/gtk/vfs/mounttracker, - # System files /etc/xdg/{,xdg-*/}xfce4/helpers.rc r,diff --git a/abstractions/fonts b/abstractions/fonts@@ -54,6 +54,8 @@ owner @{HOME}/.fonts.conf.d/** r, owner @{HOME}/.config/fontconfig/ r, owner @{HOME}/.config/fontconfig/** r, + owner @{HOME}/.Fontmatrix/Activated/ r, + owner @{HOME}/.Fontmatrix/Activated/** r, /usr/local/share/fonts/ r, /usr/local/share/fonts/** r,diff --git a/abstractions/freedesktop.org b/abstractions/freedesktop.org@@ -20,7 +20,7 @@ @{system_share_dirs}/mime/** r, # per-user configurations - owner @{HOME}/.icons/ r, + owner @{HOME}/.icons/{,**} r, owner @{HOME}/.recently-used.xbel* rw, owner @{HOME}/.local/share/recently-used.xbel* rw, owner @{HOME}/.config/user-dirs.dirs r,diff --git a/abstractions/groff b/abstractions/groff@@ -0,0 +1,67 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2023 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + # Note: executing groff and nroff themself is not included in this abstraction + # so that you can choose to ix, Px or Cx them in your profile + + # groff/nroff helpers, preprocessors, and postprocessors + /usr/bin/addftinfo mrix, + /usr/bin/afmtodit mrix, + /usr/bin/chem mrix, + /usr/bin/eqn mrix, + /usr/bin/eqn2graph mrix, + /usr/bin/gdiffmk mrix, + /usr/bin/geqn mrix, + /usr/bin/grap2graph mrix, + /usr/bin/grn mrix, + /usr/bin/grodvi mrix, + /usr/bin/groffer mrix, + /usr/bin/grog mrix, + /usr/bin/grolbp mrix, + /usr/bin/grolj4 mrix, + /usr/bin/gropdf mrix, + /usr/bin/grops mrix, + /usr/bin/grotty mrix, + /usr/bin/gtbl mrix, + /usr/bin/hpftodit mrix, + /usr/bin/indxbib mrix, + /usr/bin/lkbib mrix, + /usr/bin/lookbib mrix, + /usr/bin/mmroff mrix, + /usr/bin/neqn mrix, + /usr/bin/pdfmom mrix, + /usr/bin/pdfroff mrix, + /usr/bin/pfbtops mrix, + /usr/bin/pic mrix, + /usr/bin/pic2graph mrix, + /usr/bin/post-grohtml mrix, + /usr/bin/pre-grohtml mrix, + /usr/bin/preconv mrix, + /usr/bin/refer mrix, + /usr/bin/roff2dvi mrix, + /usr/bin/roff2html mrix, + /usr/bin/roff2pdf mrix, + /usr/bin/roff2ps mrix, + /usr/bin/roff2text mrix, + /usr/bin/roff2x mrix, + /usr/bin/soelim mrix, + /usr/bin/tbl mrix, + /usr/bin/tfmtodit mrix, + /usr/bin/troff mrix, + /usr/bin/xtotroff mrix, + + # at least its macros and fonts + /usr/libexec/groff/** r, + /usr/share/groff/** r, + + # Include additions to the abstraction + include if exists <abstractions/groff.d>diff --git a/abstractions/gtk b/abstractions/gtk@@ -0,0 +1,55 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + + abi <abi/3.0>, + + /usr/share/themes/{,**} r, + + /usr/share/gtksourceview-[0-9]*/{,**} r, + + /usr/share/gtk-2.0/ r, + /usr/share/gtk-2.0/gtkrc r, + + /usr/share/gtk-{3,4}.0/ r, + /usr/share/gtk-{3,4}.0/settings.ini r, + + /etc/gtk-2.0/ r, + /etc/gtk-2.0/gtkrc r, + + /etc/gtk-{3,4}.0/ r, + /etc/gtk-{3,4}.0/*.conf r, + + /etc/gtk/gtkrc r, + + owner @{HOME}/.themes/{,**} r, + owner @{HOME}/.local/share/themes/{,**} r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + owner @{HOME}/.config/gtkrc r, + owner @{HOME}/.config/gtkrc-2.0 r, + owner @{HOME}/.config/gtk-{3,4}.0/ rw, + owner @{HOME}/.config/gtk-{3,4}.0/settings.ini r, + owner @{HOME}/.config/gtk-{3,4}.0/bookmarks r, + owner @{HOME}/.config/gtk-{3,4}.0/gtk.css r, + + # for gtk file dialog + owner @{HOME}/.config/gtk-2.0/ rw, + owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw, + + # .Xauthority file required for X connections + owner @{HOME}/.Xauthority r, + + # Xsession errors file + owner @{HOME}/.xsession-errors w, + + # Include additions to the abstraction + include if exists <abstractions/gtk.d>diff --git a/abstractions/ibus b/abstractions/ibus@@ -16,5 +16,14 @@ owner @{HOME}/.config/ibus/bus/ rw, owner @{HOME}/.config/ibus/bus/* rw, + # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache) + # This should use this, but due to LP: #1856738 we cannot + #unix (connect, receive, send) + # type=stream + # peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), + unix (connect, receive, send) + type=stream + peer=(addr="@/home/*/.cache/ibus/dbus-*"), + # Include additions to the abstraction include if exists <abstractions/ibus.d>diff --git a/abstractions/kde b/abstractions/kde@@ -41,8 +41,11 @@ owner @{HOME}/.config/Trolltech.conf rwk, owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent() +owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so +owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc. owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so +owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so owner @{HOME}/.config/trashrc r, # Used by KFileWidget /usr/share/X11/XKeysymDB r,diff --git a/abstractions/kde-open5 b/abstractions/kde-open5@@ -29,8 +29,8 @@ # include <abstractions/ubuntu-browsers> # include <abstractions/ubuntu-email> # -# # Add if accesibility access is considered as required -# # (for message boxe in case exo-open fails) +# # Add if accessibility access is considered as required +# # (for message box in case exo-open fails) # include <abstractions/dbus-accessibility> # # # Add if audio support for message box isdiff --git a/abstractions/kerberosclient b/abstractions/kerberosclient@@ -22,6 +22,11 @@ /usr/lib/@{multiarch}/krb5/plugins/preauth/ r, /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr, + /usr/lib{,32,64}/krb5/plugins/authdata/ r, + /usr/lib{,32,64}/krb5/plugins/authdata/* mr, + /usr/lib/@{multiarch}/krb5/plugins/authdata/ r, + /usr/lib/@{multiarch}/krb5/plugins/authdata/* mr, + /etc/krb5.keytab rk, /etc/krb5.conf r, /etc/krb5.conf.d/ r,diff --git a/abstractions/mesa b/abstractions/mesa@@ -10,13 +10,22 @@ # (src/intel/perf/gen_perf.c, load_oa_metrics()) @{PROC}/sys/dev/i915/perf_stream_paranoid r, + @{sys}/devices/pci[0-9]*/**/{revision,config} r, + # User files owner @{HOME}/.cache/ w, # if user clears all caches - owner @{HOME}/.cache/mesa_shader_cache/ w, + owner @{HOME}/.cache/mesa_shader_cache/ rw, owner @{HOME}/.cache/mesa_shader_cache/index rw, - owner @{HOME}/.cache/mesa_shader_cache/??/ w, - owner @{HOME}/.cache/mesa_shader_cache/??/* rwk, + owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, + owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, + owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, + # Fallback location when @{HOME}/.cache is not available + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw, + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw, + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw, + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw, + owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk, # Include additions to the abstraction include if exists <abstractions/mesa.d>diff --git a/abstractions/nss-systemd b/abstractions/nss-systemd@@ -24,6 +24,7 @@ @{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users @{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS + @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined @{PROC}/sys/kernel/random/boot_id r,diff --git a/abstractions/nvidia b/abstractions/nvidia@@ -23,9 +23,13 @@ @{sys}/devices/system/memory/block_size_bytes r, + owner @{HOME}/.cache/nvidia/ w, + owner @{HOME}/.cache/nvidia/GLCache/ rw, + owner @{HOME}/.cache/nvidia/GLCache/** rwk, owner @{HOME}/.nv/ w, owner @{HOME}/.nv/GLCache/ rw, owner @{HOME}/.nv/GLCache/** rwk, + owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),diff --git a/abstractions/openssl b/abstractions/openssl@@ -11,9 +11,10 @@ abi <abi/3.0>, /etc/ssl/openssl.cnf r, + /etc/ssl/openssl-*.cnf r, + /etc/ssl/{engdef,engines}.d/ r, + /etc/ssl/{engdef,engines}.d/*.cnf r, /usr/share/ssl/openssl.cnf r, - @{PROC}/sys/crypto/fips_enabled r, - # Include additions to the abstraction include if exists <abstractions/openssl.d>diff --git a/abstractions/php b/abstractions/php@@ -13,26 +13,25 @@ abi <abi/3.0>, # shared snippets for config files - /etc/php{,5,7}/**/ r, - /etc/php{,5,7}/**.ini r, + /etc/php{,5,7,8}/** r, # Xlibs /usr/X11R6/lib{,32,64}/lib*.so* mr, # php extensions - /usr/lib{64,}/php{,5,7}/*/*.so mr, + /usr/lib{64,}/php{,5,7,8}/*/*.so mr, # ICU (unicode support) data tables /usr/share/icu/*/*.dat r, # php session mmap socket - /var/lib/php{,5,7}/session_mm_* rwlk, + /var/lib/php{,5,7,8}/session_mm_* rwlk, # file based session handler - /var/lib/php{,5,7}/sess_* rwlk, - /var/lib/php{,5,7}/sessions/* rwlk, + /var/lib/php{,5,7,8}/sess_* rwlk, + /var/lib/php{,5,7,8}/sessions/* rwlk, # php libraries - /usr/share/php{,5,7}/ r, - /usr/share/php{,5,7}/** mr, + /usr/share/php{,5,7,8}/ r, + /usr/share/php{,5,7,8}/** mr, # MySQL extension /usr/share/mysql/** r,diff --git a/abstractions/postfix-common b/abstractions/postfix-common@@ -2,7 +2,7 @@ # # Copyright (C) 2002-2005 Novell/SUSE # Copyright (C) 2015-2018 Canonical, Ltd. -# Copyright (C) 2020 Christian Boltz +# Copyright (C) 2020-2021 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -26,6 +26,7 @@ /etc/mailname r, /etc/postfix/*.cf r, /etc/postfix/*.db rk, + /etc/postfix/*.lmdb rk, @{PROC}/net/if_inet6 r, /usr/lib/postfix/*.so mr, /usr/lib{,32,64}/sasl2/* mr,diff --git a/abstractions/private-files-strict b/abstractions/private-files-strict@@ -24,7 +24,7 @@ audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl, audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, - + audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl, # Include additions to the abstraction include if exists <abstractions/private-files-strict.d>diff --git a/abstractions/python b/abstractions/python@@ -12,18 +12,17 @@ abi <abi/3.0>, - /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr, - /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r, - /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r, - /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr, - - /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr, - /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r, - /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r, - /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so,so.*[0-9]} mr, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.VERSION r, + /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r, + /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr, # Site-wide configuration - /etc/python{2.[4-7],3.[0-9]}/** r, + /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r, # shared python paths /usr/share/{pyshared,pycentral,python-support}/** r, @@ -36,7 +35,7 @@ /usr/lib/wx/python/*.pth r, # python build configuration and headers - /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r, + /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r, # Include additions to the abstraction include if exists <abstractions/python.d>diff --git a/abstractions/samba b/abstractions/samba@@ -13,6 +13,8 @@ /etc/samba/* r, /usr/lib*/ldb/*.so mr, + /usr/lib*/ldb2/*.so mr, + /usr/lib*/ldb2/modules/ldb/*.so mr, /usr/lib*/samba/ldb/*.so mr, /usr/share/samba/*.dat r, /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, @@ -21,16 +23,19 @@ /var/lib/samba/** rwk, /var/log/samba/cores/ rw, /var/log/samba/cores/** rw, - /var/log/samba/* w, - @{run}/samba/ w, - @{run}/samba/*.tdb rw, - @{run}/samba/msg.lock/ rwk, - @{run}/samba/msg.lock/[0-9]* rwk, + /var/log/samba/* rw, + @{run}/{,lock/}samba/ w, + @{run}/{,lock/}samba/*.tdb rwk, + @{run}/{,lock/}samba/msg.{lock,sock}/ rwk, + @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk, + /var/cache/samba/*.tdb rwk, /var/cache/samba/msg.lock/ rwk, /var/cache/samba/msg.lock/[0-9]* rwk, # required for clustering /var/lib/ctdb/** rwk, + deny capability net_admin, # noisy setsockopt() calls from systemd + # Include additions to the abstraction include if exists <abstractions/samba.d>diff --git a/abstractions/samba-rpcd b/abstractions/samba-rpcd@@ -0,0 +1,30 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +# This file contains basic permissions for samba rpcd_xyz services + + abi <abi/3.0>, + + include <abstractions/base> + include <abstractions/nameservice> + include <abstractions/samba> + + capability setgid, + capability setuid, + + signal receive set=term peer=smbd, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/fd/ r, + + # Include additions to the abstraction + include if exists <abstractions/samba-rpcd.d> +diff --git a/abstractions/snap_browsers b/abstractions/snap_browsers@@ -0,0 +1,42 @@ +profile snap_browsers { + include if exists <abstractions/snap_browsers.d> + include <abstractions/base> + include <abstractions/dbus-session-strict> + + /etc/passwd r, + /etc/nsswitch.conf r, + /etc/fstab r, + + # noisy + deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu + + /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec + /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r, + /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r, + /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix, + /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix, + /var/lib/snapd/system-key r, + /run/snapd.socket rw, + + @{PROC}/version r, + @{PROC}/cmdline r, + @{PROC}/sys/net/core/somaxconn r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/sys/kernel/random/uuid r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{HOME}/.snap/auth.json r, # if exists, required + + dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"), + dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved", + + /sys/kernel/security/apparmor/features/ r, + + # allow launching official browser snaps. + /snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r, + /snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r, + /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r, + + /var/lib/snapd/sequence/{chromium,firefox,opera}.json r, + # add other browsers here +}diff --git a/abstractions/ssl_certs b/abstractions/ssl_certs@@ -11,20 +11,17 @@ abi <abi/3.0>, - /etc/ssl/ r, - /etc/ssl/certs/ r, - /etc/ssl/certs/* r, - /etc/pki/trust/ r, - /etc/pki/trust/* r, - /etc/pki/trust/anchors/ r, - /etc/pki/trust/anchors/** r, - /usr/share/ca-certificates/ r, - /usr/share/ca-certificates/** r, + /etc/ca-certificates/{,**} r, + /etc/{,libre}ssl/ r, + /etc/{,libre}ssl/cert.pem r, + /etc/{,libre}ssl/certs/{,**} r, + /{etc,usr/share}/pki/bl[ao]cklist/{,*} r, + /{etc,usr/share}/pki/trust/{,*} r, + /{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r, + /usr/share/ca-certificates/{,**} r, /usr/share/ssl/certs/ca-bundle.crt r, - /usr/local/share/ca-certificates/ r, - /usr/local/share/ca-certificates/** r, - /var/lib/ca-certificates/ r, - /var/lib/ca-certificates/** r, + /usr/local/share/ca-certificates/{,**} r, + /var/lib/ca-certificates/{,**} r, # acmetool /var/lib/acme/certs/*/chain r,diff --git a/abstractions/svn-repositories b/abstractions/svn-repositories@@ -14,7 +14,7 @@ # it is intended to be included in profiles for svnserve/apache2 and maybe # some repository viewers like trac/viewvc - # no hooks exec by default; please define whatever you need explicitely. + # no hooks exec by default; please define whatever you need explicitly. /srv/svn/**/conf/* r, /srv/svn/**/format r,diff --git a/abstractions/trash b/abstractions/trash@@ -0,0 +1,75 @@ +abi <abi/3.0>, + +# requires <tunables/home> + + owner @{HOME}/.config/trashrc rw, + owner @{HOME}/.config/trashrc.lock rwk, + owner @{HOME}/.config/#[0-9]*[0-9] rwk, + owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9], + + owner @{run}/user/@{uid}/#[0-9]*[0-9] rw, + owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9], + + # Home trash location + owner @{HOME}/.local/share/Trash/ rw, + owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw, + owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9], + owner @{HOME}/.local/share/Trash/files/{,**} rw, + owner @{HOME}/.local/share/Trash/info/ rw, + owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw, + owner @{HOME}/.local/share/Trash/expunged/ rw, + owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw, + owner @{HOME}/.local/share/Trash/expunged/[0-9]*/ rw, + owner @{HOME}/.local/share/Trash/expunged/[0-9]*/** rw, + + # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir + owner /media/*/.Trash/ rw, + owner /media/*/.Trash/@{uid}/ rw, + owner /media/*/.Trash/@{uid}/#[0-9]*[0-9] rw, + owner /media/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash/@{uid}/#[0-9]*[0-9], + owner /media/*/.Trash/@{uid}/files/{,**} rw, + owner /media/*/.Trash/@{uid}/info/ rw, + owner /media/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, + owner /media/*/.Trash/@{uid}/expunged/ rw, + owner /media/*/.Trash/@{uid}/expunged/[0-9]* rw, + owner /media/*/.Trash/@{uid}/expunged/[0-9]*/ rw, + owner /media/*/.Trash/@{uid}/expunged/[0-9]*/** rw, + + # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir + owner /media/*/.Trash-@{uid}/ rw, + owner /media/*/.Trash-@{uid}/#[0-9]*[0-9] rw, + owner /media/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash-@{uid}/#[0-9]*[0-9], + owner /media/*/.Trash-@{uid}/files/{,**} rw, + owner /media/*/.Trash-@{uid}/info/ rw, + owner /media/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, + owner /media/*/.Trash-@{uid}/expunged/ rw, + owner /media/*/.Trash-@{uid}/expunged/[0-9]* rw, + owner /media/*/.Trash-@{uid}/expunged/[0-9]*/ rw, + owner /media/*/.Trash-@{uid}/expunged/[0-9]*/** rw, + + # Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir + owner /media/*/*/.Trash/ rw, + owner /media/*/*/.Trash/@{uid}/ rw, + owner /media/*/*/.Trash/@{uid}/#[0-9]*[0-9] rw, + owner /media/*/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash/@{uid}/#[0-9]*[0-9], + owner /media/*/*/.Trash/@{uid}/files/{,**} rw, + owner /media/*/*/.Trash/@{uid}/info/ rw, + owner /media/*/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, + owner /media/*/*/.Trash/@{uid}/expunged/ rw, + owner /media/*/*/.Trash/@{uid}/expunged/[0-9]* rw, + owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/ rw, + owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/** rw, + + # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir + owner /media/*/*/.Trash-@{uid}/ rw, + owner /media/*/*/.Trash-@{uid}/#[0-9]*[0-9] rw, + owner /media/*/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash-@{uid}/#[0-9]*[0-9], + owner /media/*/*/.Trash-@{uid}/files/{,**} rw, + owner /media/*/*/.Trash-@{uid}/info/ rw, + owner /media/*/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, + owner /media/*/*/.Trash-@{uid}/expunged/ rw, + owner /media/*/*/.Trash-@{uid}/expunged/[0-9]* rw, + owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/ rw, + owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/** rw, + + include if exists <abstractions/trash.d>diff --git a/abstractions/ubuntu-browsers b/abstractions/ubuntu-browsers@@ -38,3 +38,4 @@ /usr/lib/icecat-*/icecat Cx -> sanitized_helper, /usr/bin/opera Cx -> sanitized_helper, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper, + /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,diff --git a/abstractions/ubuntu-browsers.d/ubuntu-integration b/abstractions/ubuntu-browsers.d/ubuntu-integration@@ -28,10 +28,7 @@ /usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper, # Exo-aware applications - /usr/bin/exo-open ixr, - /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr, - /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r, - /etc/xdg/xfce4/helpers.rc r, + include <abstractions/exo-open> # unity webapps integration. Could go in its own abstraction owner /run/user/*/dconf/user rw,diff --git a/abstractions/ubuntu-browsers.d/user-files b/abstractions/ubuntu-browsers.d/user-files@@ -14,6 +14,7 @@ audit deny @{HOME}/.gnome2_private/{,**} mrwkl, audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, + audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl, # Comment this out if using gpg plugin/addons audit deny @{HOME}/.gnupg/{,**} mrwkl,diff --git a/abstractions/ubuntu-helpers b/abstractions/ubuntu-helpers@@ -36,6 +36,7 @@ profile sanitized_helper { include <abstractions/base> include <abstractions/X> + include if exists <local/ubuntu-helpers> # Allow all networking network inet, @@ -72,8 +73,16 @@ profile sanitized_helper { /opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr, /opt/google/chrome{,-beta,-unstable}/google-chrome Pixr, /opt/google/chrome{,-beta,-unstable}/chrome Pixr, + /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr, /opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m, + # The same is needed for Brave + /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr, + /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr, + /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr, + /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr, + /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m, + # Full access / r, /** rwkl,diff --git a/abstractions/video b/abstractions/video@@ -4,8 +4,17 @@ abi <abi/3.0>, # System devices - @{sys}/class/video4linux r, + @{sys}/class/video4linux/ r, @{sys}/class/video4linux/** r, + owner /dev/shm/libv4l-* rw, + /dev/video[0-9]* rw, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r, + + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/product_{name,version} r, + @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r, + # Include additions to the abstraction include if exists <abstractions/video.d>diff --git a/abstractions/wayland b/abstractions/wayland@@ -14,5 +14,8 @@ owner @{run}/user/*/wayland-[0-9]* rw, owner @{run}/user/*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, + #For compositors based on wlroots + owner /dev/shm/wlroots-* rw, + # Include additions to the abstraction include if exists <abstractions/wayland.d>diff --git a/abstractions/wutmp b/abstractions/wutmp@@ -14,7 +14,8 @@ # some services update wtmp, utmp, and lastlog with per-user # connection information /var/log/lastlog rwk, - /var/log/wtmp wk, + /var/log/wtmp rwk, + /var/log/btmp rwk, @{run}/utmp rwk, # Include additions to the abstractiondiff --git a/abstractions/xdg-open b/abstractions/xdg-open@@ -41,7 +41,7 @@ include <abstractions/base> - # for openin with `exo-open` + # for opening with `exo-open` include <abstractions/exo-open> # for opening with `gio open <uri>`diff --git a/local/samba-bgqd b/local/samba-bgqd@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'samba-bgqd'diff --git a/local/samba-dcerpcd b/local/samba-dcerpcd@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'samba-dcerpcd'diff --git a/local/samba-rpcd b/local/samba-rpcd@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'samba-rpcd'diff --git a/local/samba-rpcd-classic b/local/samba-rpcd-classic@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'samba-rpcd-classic'diff --git a/local/samba-rpcd-spoolss b/local/samba-rpcd-spoolss@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'samba-rpcd-spoolss'diff --git a/local/usr.lib.dovecot.director b/local/usr.lib.dovecot.director@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.lib.dovecot.director'diff --git a/local/usr.lib.dovecot.doveadm-server b/local/usr.lib.dovecot.doveadm-server@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.lib.dovecot.doveadm-server'diff --git a/local/usr.lib.dovecot.replicator b/local/usr.lib.dovecot.replicator@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'usr.lib.dovecot.replicator'diff --git a/local/zgrep b/local/zgrep@@ -0,0 +1 @@ +# Site-specific additions and overrides for 'zgrep'diff --git a/lsb_release b/lsb_release@@ -18,7 +18,7 @@ profile lsb_release { /dev/tty rw, /usr/bin/lsb_release r, - /usr/bin/python3.[0-9] mr, + /usr/bin/python3.{1,}[0-9] mr, /etc/debian_version r, /etc/default/apport r, @@ -30,6 +30,8 @@ profile lsb_release { /{usr/,}bin/dash ixr, /usr/bin/basename ixr, /usr/bin/dpkg-query ixr, + /usr/bin/cat ixr, + /usr/bin/cut ixr, /usr/bin/getopt ixr, /usr/bin/sed ixr, /usr/bin/tr ixr,diff --git a/nvidia_modprobe b/nvidia_modprobe@@ -54,10 +54,10 @@ profile nvidia_modprobe { # System files /etc/modprobe.d/{,*.conf} r, - /etc/nvidia/current/*.conf r, + /etc/nvidia/{current,legacy*,tesla*}/*.conf r, @{sys}/module/ipmi_devintf/initstate r, @{sys}/module/ipmi_msghandler/initstate r, - @{sys}/module/nvidia/initstate r, + @{sys}/module/{drm,nvidia}/initstate r, @{PROC}/cmdline r, }diff --git a/php-fpm b/php-fpm@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) { # read the system certificates include <abstractions/ssl_certs> - /etc/php{,5,7}/** r, - capability net_admin, # change user/group of a pool capability setuid, @@ -37,6 +35,7 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) { # we need to be able to create all sockets @{run}/php{,-fpm}/php*-fpm.pid rw, + @{run}/php*-fpm.pid rw, @{run}/php{,-fpm}/php*-fpm.sock rwlk, # to reloaddiff --git a/samba-bgqd b/samba-bgqd@@ -0,0 +1,24 @@ +abi <abi/3.0>, + +include <tunables/global> + +profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd { + include <abstractions/base> + include <abstractions/cups-client> + include <abstractions/nameservice> + include <abstractions/openssl> + include <abstractions/samba> + + signal receive set=term peer=smbd, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/fd/ r, + + @{run}/{,samba/}samba-bgqd.pid rwk, + + /usr/lib*/samba/{,samba/}samba-bgqd mr, + /var/cache/samba/printing/*.tdb rwk, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-bgqd> +}diff --git a/samba-dcerpcd b/samba-dcerpcd@@ -0,0 +1,32 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +abi <abi/3.0>, + +include <tunables/global> + +profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd { + include <abstractions/samba-rpcd> + + @{run}/{,samba/}samba-dcerpcd.pid rwk, + + /usr/lib*/samba/{,samba/}samba-dcerpcd mr, + + /usr/lib*/samba/ r, + /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd, + /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic, + /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss, + + @{run}/samba/ncalrpc/ rw, + @{run}/samba/ncalrpc/** rw, + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-dcerpcd> +}diff --git a/samba-rpcd b/samba-rpcd@@ -0,0 +1,24 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +abi <abi/3.0>, + +include <tunables/global> + +profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} { + include <abstractions/samba-rpcd> + /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr, + + @{run}/samba/ncalrpc/np/winreg wr, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-rpcd> +}diff --git a/samba-rpcd-classic b/samba-rpcd-classic@@ -0,0 +1,24 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +abi <abi/3.0>, + +include <tunables/global> + +profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic { + include <abstractions/samba-rpcd> + include <abstractions/wutmp> + + /usr/lib*/samba/{,samba/}rpcd_classic mr, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-rpcd-classic> +}diff --git a/samba-rpcd-spoolss b/samba-rpcd-spoolss@@ -0,0 +1,32 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +abi <abi/3.0>, + +include <tunables/global> + +profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss { + include <abstractions/samba-rpcd> + + /usr/lib*/samba/{,samba/}rpcd_spoolss mr, + /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd, + /var/cache/samba/printing/ w, + /var/cache/samba/printing/*.tdb rwk, + @{run}/{,samba/}samba-bgqd.pid rk, + + /dev/urandom rw, + + @{run}/samba/ncalrpc/ rw, + @{run}/samba/ncalrpc/** rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-rpcd-spoolss> +}diff --git a/sbin.syslog-ng b/sbin.syslog-ng@@ -61,6 +61,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { /{var,var/run,run}/log/journal/ r, /{var,var/run,run}/log/journal/*/ r, /{var,var/run,run}/log/journal/*/*.journal r, + /{var,var/run,run}/log/journal/*.journal r, @{run}/syslog-ng.ctl a, @{run}/syslog-ng/additional-log-sockets.conf r,diff --git a/sbin.syslogd b/sbin.syslogd@@ -30,12 +30,17 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd { /dev/log wl, /var/lib/*/dev/log wl, + /dev/kmsg r, + /proc/kmsg r, /dev/tty* w, /dev/xconsole rw, /etc/syslog.conf r, + /etc/syslog.d/ r, + /etc/syslog.d/* r, /{usr/,}{bin,sbin}/syslogd rmix, /var/log/** rw, + @{run}/syslog.pid krwl, @{run}/syslogd.pid krwl, @{run}/utmp rw, /var/spool/compaq/nic/messages_fifo rw,diff --git a/tunables/etc b/tunables/etc@@ -13,11 +13,15 @@ # with the goal of having only user-modified config files in /etc/, directories # like /usr/etc/ get introduced for storing the default config. -# @{etc_ro} contains read-only directories with configuration files. +# @{etc_ro} contains directories with configuration files, including read-only directories. # Do not use @{etc_ro} in rules that allow write access. @{etc_ro}=/etc/ /usr/etc/ # @{etc_rw} contains directories where writing to configuration files is allowed. +# @{etc_rw} should always be a subset of @{etc_ro}. +# +# Only use @{etc_rw} if the profile allows writing to a configuration file. +# For rules that only allows read access, use @{etc_ro}. @{etc_rw}=/etc/ # Also, include files in tunables/etc.d/ for site-specific adjustments todiff --git a/tunables/home b/tunables/home@@ -9,17 +9,17 @@ # # ------------------------------------------------------------------ +# @{HOMEDIRS} is a space-separated list of where user home directories +# are stored, for programs that must enumerate all home directories on a +# system. +@{HOMEDIRS}=/home/ + # @{HOME} is a space-separated list of all user home directories. While # it doesn't refer to a specific home directory (AppArmor doesn't # enforce discretionary access controls) it can be used as if it did # refer to a specific home directory @{HOME}=@{HOMEDIRS}/*/ /root/ -# @{HOMEDIRS} is a space-separated list of where user home directories -# are stored, for programs that must enumerate all home directories on a -# system. -@{HOMEDIRS}=/home/ - # Also, include files in tunables/home.d for site-specific adjustments to # @{HOMEDIRS}. include <tunables/home.d>diff --git a/usr.lib.dovecot.director b/usr.lib.dovecot.director@@ -0,0 +1,27 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +include <tunables/global> + +profile dovecot-director /usr/lib/dovecot/director flags=(attach_disconnected) { + include <abstractions/base> + include <abstractions/dovecot-common> + include <abstractions/nameservice> + + capability setuid, + capability sys_chroot, + + /run/dovecot/login/proxy-notify rw, + /usr/lib/dovecot/director mr, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/usr.lib.dovecot.director> +}diff --git a/usr.lib.dovecot.doveadm-server b/usr.lib.dovecot.doveadm-server@@ -0,0 +1,22 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor + +include <tunables/global> + +profile dovecot-doveadm-server /usr/lib/dovecot/doveadm-server flags=(attach_disconnected) { + include <abstractions/base> + include <abstractions/dovecot-common> + + /usr/lib/dovecot/doveadm-server mr, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/usr.lib.dovecot.doveadm-server> +}diff --git a/usr.lib.dovecot.imap b/usr.lib.dovecot.imap@@ -21,7 +21,6 @@ profile dovecot-imap /usr/lib/dovecot/imap { include <abstractions/dovecot-common> capability setuid, - deny capability block_suspend, network unix stream, @@ -36,6 +35,7 @@ profile dovecot-imap /usr/lib/dovecot/imap { owner /tmp/dovecot.imap.* rw, @{PROC}/@{pid}/attr/{apparmor/,}current rw, + @{PROC}/@{pid}/stat r, /usr/bin/doveconf rix, /usr/lib/dovecot/imap mrix, /usr/share/dovecot/** r,diff --git a/usr.lib.dovecot.lmtp b/usr.lib.dovecot.lmtp@@ -31,6 +31,8 @@ profile dovecot-lmtp /usr/lib/dovecot/lmtp { @{HOME}/.dovecot.svbin r, @{PROC}/@{pid}/attr/{apparmor/,}current rw, + owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/stat r, @{PROC}/*/mounts r, /tmp/dovecot.lmtp.* rw, /usr/lib/dovecot/lmtp mr,diff --git a/usr.lib.dovecot.pop3 b/usr.lib.dovecot.pop3@@ -26,6 +26,7 @@ profile dovecot-pop3 /usr/lib/dovecot/pop3 { @{DOVECOT_MAILSTORE}/** rwkl, @{HOME} r, # ??? + @{PROC}/@{pid}/stat r, /usr/lib/dovecot/pop3 mr, # Site-specific additions and overrides. See local/README for details.diff --git a/usr.lib.dovecot.replicator b/usr.lib.dovecot.replicator@@ -0,0 +1,36 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2020 SUSE LLC +# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2011-2013 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim: ft=apparmor +# for https://wiki.dovecot.org/Replication + +include <tunables/dovecot> +include <tunables/global> + +profile dovecot-replicator /usr/lib/dovecot/replicator { + include <abstractions/base> + include <abstractions/dovecot-common> + include <abstractions/nameservice> + + network unix stream, + + /etc/dovecot/conf.d/ r, + /etc/dovecot/conf.d/** r, + /etc/dovecot/dovecot.conf r, + /usr/lib/dovecot/replicator mr, + /usr/share/dovecot/** r, + /{,var/}run/dovecot/auth-master rw, + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwlk, + /var/lib/dovecot/replicator.db rw, + # Site-specific additions and overrides. See local/README for details. + include if exists <local/usr.lib.dovecot.replicator> +}diff --git a/usr.lib.dovecot.stats b/usr.lib.dovecot.stats@@ -20,6 +20,10 @@ profile dovecot-stats /usr/lib/dovecot/stats { capability setuid, capability sys_chroot, + # for metrics end-point (Prometheus) + network inet stream, + network inet6 stream, + /usr/lib/dovecot/stats mr, # Site-specific additions and overrides. See local/README for details.diff --git a/usr.sbin.avahi-daemon b/usr.sbin.avahi-daemon@@ -1,7 +1,7 @@ abi <abi/3.0>, include <tunables/global> -profile avahi-daemon /usr/{bin,sbin}/avahi-daemon { +profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(attach_disconnected) { include <abstractions/base> include <abstractions/consoles> include <abstractions/dbus> @@ -22,6 +22,9 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon { /etc/avahi/services/ r, /etc/avahi/services/*.service r, @{PROC}/@{pid}/fd/ r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, /usr/{bin,sbin}/avahi-daemon mr, /usr/share/avahi/introspection/*.introspect r, /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,diff --git a/usr.sbin.dnsmasq b/usr.sbin.dnsmasq@@ -70,8 +70,6 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { # access to iface mtu needed for Router Advertisement messages in IPv6 # Neighbor Discovery protocol (RFC 2461) @{PROC}/sys/net/ipv6/conf/*/mtu r, - # closing superfluous file descriptors scans /proc/self/fd/ to find open ones - @{PROC}/@{pid}/fd/ r, # for the read-only TFTP server @{TFTP_DIR}/ r, @@ -109,18 +107,27 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { @{run}/NetworkManager/dnsmasq.pid w, @{run}/NetworkManager/NetworkManager.pid w, + # dnsname plugin in podman + @{run}/containers/cni/dnsname/*/dnsmasq.conf r, + @{run}/containers/cni/dnsname/*/addnhosts r, + @{run}/containers/cni/dnsname/*/pidfile rw, + owner @{run}/user/*/containers/cni/dnsname/*/dnsmasq.conf r, + owner @{run}/user/*/containers/cni/dnsname/*/addnhosts r, + owner @{run}/user/*/containers/cni/dnsname/*/pidfile rw, + + # waydroid lxc-net pid file + @{run}/waydroid-lxc/dnsmasq.pid rw, + profile libvirt_leaseshelper { include <abstractions/base> /etc/libnl-3/classid r, - /usr/lib{,64}/libvirt/libvirt_leaseshelper m, - /usr/libexec/libvirt_leaseshelper m, + /usr/lib{,64}/libvirt/libvirt_leaseshelper mr, + /usr/libexec/libvirt_leaseshelper mr, owner @{PROC}/@{pid}/net/psched r, - owner @{PROC}/@{pid}/status r, - @{sys}/devices/system/cpu/ r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/*/meminfo r,diff --git a/usr.sbin.dovecot b/usr.sbin.dovecot@@ -33,8 +33,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) { capability sys_chroot, capability sys_resource, - signal send set=(int,quit,term) peer=/usr/lib/dovecot/*, - signal send set=(int,quit,term) peer=dovecot-*, + signal send peer=/usr/lib/dovecot/*, + signal send peer=dovecot-*, unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil), unix (receive, send) type=stream peer=(label=dovecot-anvil), @@ -50,6 +50,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) { /usr/lib/dovecot/auth mrPx, /usr/lib/dovecot/config mrPx, /usr/lib/dovecot/dict mrPx, + /usr/lib/dovecot/director mrPx, + /usr/lib/dovecot/doveadm-server mrPx, /usr/lib/dovecot/dovecot-auth Pxmr, /usr/lib/dovecot/imap Pxmr, /usr/lib/dovecot/imap-login Pxmr, @@ -59,11 +61,13 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) { /usr/lib/dovecot/managesieve-login Pxmr, /usr/lib/dovecot/pop3 mrPx, /usr/lib/dovecot/pop3-login Pxmr, + /usr/lib/dovecot/replicator mrPx, /usr/lib/dovecot/script-login Px, /usr/lib/dovecot/ssl-build-param rix, /usr/lib/dovecot/ssl-params mrPx, /usr/lib/dovecot/stats Px, /usr/{bin,sbin}/dovecot mrix, + /usr/share/dovecot/dh.pem r, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, /var/lib/dovecot/ w,diff --git a/usr.sbin.nmbd b/usr.sbin.nmbd@@ -13,9 +13,6 @@ profile nmbd /usr/{bin,sbin}/nmbd { /usr/{bin,sbin}/nmbd mr, - /var/cache/samba/gencache.tdb rwk, - /var/cache/samba/gencache_notrans.tdb rwk, - /var/cache/samba/names.tdb rwk, /var/{cache,lib}/samba/browse.dat* rw, /var/{cache,lib}/samba/gencache.dat rw, /var/{cache,lib}/samba/wins.dat* rw,diff --git a/usr.sbin.nscd b/usr.sbin.nscd@@ -23,6 +23,7 @@ profile nscd /usr/{bin,sbin}/nscd { capability setgid, capability setuid, + /etc/machine-id r, /etc/netgroup r, /etc/nscd.conf r, /usr/{bin,sbin}/nscd rmix, @@ -30,7 +31,7 @@ profile nscd /usr/{bin,sbin}/nscd { @{run}/nscd/ rw, @{run}/nscd/db* rwl, @{run}/nscd/socket wl, - /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw, + /{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw, @{run}/{nscd/,}nscd.pid rwl, /var/lib/libvirt/dnsmasq/ r, /var/lib/libvirt/dnsmasq/*.status r, @@ -40,6 +41,13 @@ profile nscd /usr/{bin,sbin}/nscd { @{PROC}/@{pid}/fd/* r, @{PROC}/@{pid}/mounts r, + # systemd-userdb + /{etc,run,run/host,/usr/lib}/userdb/ r, + /{etc,run,run/host,/usr/lib}/userdb/*.{user,user-privileged,group,group-privileged} r, + + # needed by unscd + @{run}/systemd/notify w, + # Site-specific additions and overrides. See local/README for details. include if exists <local/usr.sbin.nscd> }diff --git a/usr.sbin.ntpd b/usr.sbin.ntpd@@ -17,6 +17,7 @@ profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/openssl> + include <abstractions/ssl_certs> include <abstractions/xad> capability dac_override,diff --git a/usr.sbin.smbd b/usr.sbin.smbd@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd { include <abstractions/consoles> include <abstractions/cups-client> include <abstractions/nameservice> + include <abstractions/openssl> include <abstractions/samba> include <abstractions/user-tmp> include <abstractions/wutmp> @@ -24,6 +25,8 @@ profile smbd /usr/{bin,sbin}/smbd { capability sys_resource, capability sys_tty_config, + signal send set=term peer=samba-bgqd, + /etc/mtab r, /etc/netgroup r, /etc/printcap r, @@ -35,27 +38,35 @@ profile smbd /usr/{bin,sbin}/smbd { /usr/lib*/samba/charset/*.so mr, /usr/lib*/samba/gensec/*.so mr, /usr/lib*/samba/pdb/*.so mr, + /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd, + /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd, /usr/lib*/samba/{lowcase,upcase,valid}.dat r, /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, /usr/lib/@{multiarch}/samba/**/ r, /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, + /usr/share/samba/** r, /usr/{bin,sbin}/smbd mr, /usr/{bin,sbin}/smbldap-useradd Px, /var/cache/samba/** rwk, /var/{cache,lib}/samba/printing/printers.tdb mrw, + /var/lib/nscd/netgroup r, /var/lib/samba/** rwk, /var/lib/sss/pubconf/kdcinfo.* r, @{run}/dbus/system_bus_socket rw, - @{run}/smbd.pid rwk, + @{run}/{,samba/}smbd.pid rwk, @{run}/samba/** rk, @{run}/samba/ncalrpc/ rw, @{run}/samba/ncalrpc/** rw, - @{run}/samba/smbd.pid rw, /var/spool/samba/** rw, @{HOMEDIRS}/** lrwk, /var/lib/samba/usershares/{,**} lrwk, + # Permissions for all configured shares (file autogenerated by + # update-apparmor-samba-profile on service startup on Debian and openSUSE) + include if exists <samba/smbd-shares> + include if exists <local/usr.sbin.smbd-shares> + # Site-specific additions and overrides. See local/README for details. include if exists <local/usr.sbin.smbd> }diff --git a/usr.sbin.winbindd b/usr.sbin.winbindd@@ -6,6 +6,7 @@ profile winbindd /usr/{bin,sbin}/winbindd { include <abstractions/base> include <abstractions/nameservice> include <abstractions/samba> + include <abstractions/kerberosclient> deny capability block_suspend, @@ -26,9 +27,10 @@ profile winbindd /usr/{bin,sbin}/winbindd { /usr/lib*/samba/idmap/*.so mr, /usr/lib*/samba/nss_info/*.so mr, /usr/lib*/samba/pdb/*.so mr, + /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd, /usr/{bin,sbin}/winbindd mr, /var/cache/krb5rcache/* rwk, - /var/cache/samba/*.tdb rwk, + /var/lib/sss/pubconf/kdcinfo.* r, /var/log/samba/log.winbindd rw, @{run}/{samba/,}winbindd.pid rwk, @{run}/samba/winbindd/ rw,diff --git a/zgrep b/zgrep@@ -0,0 +1,66 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +abi <abi/3.0>, + +include <tunables/global> + +profile zgrep /usr/bin/{x,}zgrep { + include <abstractions/base> + include <abstractions/bash> + + /dev/tty rw, + /usr/bin/{ba,da,}sh ix, + /usr/bin/bzip2 Cx -> helper, + /usr/bin/cat ix, + /usr/bin/egrep Cx -> helper, + /usr/bin/expr ix, + /usr/bin/fgrep Cx -> helper, + /usr/bin/grep Cx -> helper, + /usr/bin/gzip Cx -> helper, + /usr/bin/mktemp ix, + /usr/bin/rm ix, + /usr/bin/sed Cx -> sed, + /usr/bin/xz Cx -> helper, + /usr/bin/xzgrep r, + /usr/bin/zgrep Cx -> helper, + /usr/bin/zstd Cx -> helper, + owner /tmp/zgrep* rw, + /usr/bin/zgrep r, + + include if exists <local/zgrep> + + profile helper { + include <abstractions/base> + + capability dac_override, + capability dac_read_search, + + /dev/tty w, + + /usr/bin/{ba,da,}sh ix, + /usr/bin/bzip2 mr, + /usr/bin/grep mrix, + /usr/bin/gzip mr, + /usr/bin/xz mr, + /usr/bin/zstd mr, + /{,**} r, + + } + + profile sed { + include <abstractions/base> + + /dev/tty rw, + /usr/bin/{ba,da,}sh ix, + /usr/bin/sed mr, + + } +}