diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index e9809d1c7..f82e89fb4 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -19,8 +19,8 @@ include profile sshd @{exec_path} flags=(attach_disconnected) { include include - include include + include include include include diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index 0b0e4183c..20461b819 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{,usr/}bin/loginctl +@{exec_path} = @{bin}/loginctl profile loginctl @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index cab332e02..2aae28159 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}{,local/}bin/btop +@{exec_path} = @{bin}/btop profile btop @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index 6f61f072f..124b29d2c 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -1,16 +1,17 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}bin/host +@{exec_path} = @{bin}/host profile host @{exec_path} { include include - include include + include network inet dgram, network inet6 dgram, @@ -21,5 +22,7 @@ profile host @{exec_path} { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + include if exists } diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index c096573b8..fbb7198b3 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -1,14 +1,15 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only include -@{exec_path} = /{,usr/}{,s}bin/murmurd +@{exec_path} = @{bin}/murmurd profile murmurd @{exec_path} { include + include include include - include include capability chown, @@ -31,7 +32,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - /{,usr/}bin/lsb_release Px -> lsb_release, + @{bin}/lsb_release rPx -> lsb_release, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/nvidia-detector b/apparmor.d/profiles-m-r/nvidia-detector index 4b9124d3d..49b0171d0 100644 --- a/apparmor.d/profiles-m-r/nvidia-detector +++ b/apparmor.d/profiles-m-r/nvidia-detector @@ -1,15 +1,16 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}bin/nvidia-detector +@{exec_path} = @{bin}/nvidia-detector profile nvidia-detector @{exec_path} { include - @{exec_path} r, + @{exec_path} mr, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-persistenced b/apparmor.d/profiles-m-r/nvidia-persistenced index ad5a83ce9..c0dffed55 100644 --- a/apparmor.d/profiles-m-r/nvidia-persistenced +++ b/apparmor.d/profiles-m-r/nvidia-persistenced @@ -1,21 +1,22 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}bin/nvidia-persistenced +@{exec_path} = @{bin}/nvidia-persistenced profile nvidia-persistenced @{exec_path} { include - include include + include capability chown, capability setgid, capability setuid, - @{exec_path} r, + @{exec_path} mr, /etc/netconfig r, diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree index a8da63993..1dc1b249d 100644 --- a/apparmor.d/profiles-m-r/pstree +++ b/apparmor.d/profiles-m-r/pstree @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}bin/pstree +@{exec_path} = @{bin}/pstree profile pstree @{exec_path} flags=(attach_disconnected) { include include @@ -18,11 +19,11 @@ profile pstree @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{PROC} r, - @{PROC}/uptime r, + @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/uptime r, owner @{PROC}/@{pid}/cmdline r, include if exists diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 3811ff9ac..57fec09cf 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -1,24 +1,26 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}bin/remmina +@{exec_path} = @{bin}/remmina profile remmina @{exec_path} { include - include - include + include + include + include + include include include - include - include include - include - include - include - include + include + include + include + include + include network inet stream, network inet6 stream, @@ -112,33 +114,27 @@ profile remmina @{exec_path} { @{exec_path} r, + /usr/share/remmina/{,**} r, + /usr/share/themes/{,**} r, + /etc/timezone r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, - /usr/share/remmina/{,**} r, + /etc/gtk-3.0/settings.ini r, + + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{user_cache_dirs}/remmina/{,**} rw, owner @{user_config_dirs}/autostart/remmina-applet.desktop r, - owner @{user_config_dirs}/gtk-3.0/bookmarks r, owner @{user_config_dirs}/freerdp/known_hosts2 rwk, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, owner @{user_config_dirs}/remmina/{,**} rw, owner @{user_share_dirs}/remmina/{,**} rw, - owner @{user_cache_dirs}/remmina/{,**} rw, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/mountinfo r, owner @{run}/user/@{uid}/keyring/ssh rw, - # gtk-tiny - /etc/gtk-3.0/settings.ini r, - /usr/share/themes/{,**} r, - - # X-tiny - owner @{HOME}/.Xauthority r, - owner @{HOME}/.xsession-errors w, - unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"), - /etc/X11/{,**} r, - include if exists } diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 516e90be4..ca4a91b53 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -50,15 +50,15 @@ profile rustdesk @{exec_path} { @{exec_path} mrix, - /{,usr/}bin/w rPx, - /{,usr/}bin/ps rPx, - /{,usr/}bin/whoami rPx, - /{,usr/}bin/loginctl rPx, - /{,usr/}bin/curl rix, - /{,usr/}bin/ls rix, + @{bin}/w rPx, + @{bin}/ps rPx, + @{bin}/whoami rPx, + @{bin}/loginctl rPx, + @{bin}/curl rix, + @{bin}/ls rix, - /{,usr/}bin/python3.[0-9]* rPx -> rustdesk_python, - /{,usr/}bin/{,ba,da}sh rPx -> rustdesk_shell, + @{bin}/python3.[0-9]* rPx -> rustdesk_python, + @{bin}/{,ba,da}sh rPx -> rustdesk_shell, /etc/gdm{,3}/custom.conf r, @@ -122,8 +122,8 @@ profile rustdesk @{exec_path} { # deny /etc/passwd r, # It's possible to disable root-based service ('systemctl disable rustdesk.service') and use RD only on-demand (or as client-only). After that, sudo isn't necessary. -# deny /{,usr/}bin/sudo x, - /{,usr/}bin/sudo rCx -> sudo, +# deny @{bin}/sudo x, + @{bin}/sudo rCx -> sudo, profile sudo { include include @@ -138,7 +138,7 @@ profile rustdesk @{exec_path} { network netlink raw, - /{,usr/}bin/sudo r, + @{bin}/sudo r, /etc/sudo.conf r, /etc/sudoers r, @@ -161,7 +161,7 @@ profile rustdesk @{exec_path} { owner @{PROC}/@{pid}/fd/ r, /{,usr/}{,local/}bin/rustdesk rPx, - /{,usr/}bin/python3.[0-9]* rPx -> rustdesk_python, + @{bin}/python3.[0-9]* rPx -> rustdesk_python, include if exists } @@ -185,11 +185,11 @@ profile rustdesk_python { capability dac_read_search, capability dac_override, - /{,usr/}bin/python3.[0-9]* r, + @{bin}/python3.[0-9]* r, - /{,usr/}bin/{,ba,da}sh rix, - /{,usr/}bin/chmod rix, - /{,usr/}bin/uname rPx, + @{bin}/{,ba,da}sh rix, + @{bin}/chmod rix, + @{bin}/uname rPx, /usr/share/rustdesk/files/pynput_service.py rPx, /usr/local/lib/python3.[0-9]*/dist-packages/pynput/{,**} r, @@ -218,16 +218,16 @@ profile rustdesk_shell { ptrace (read), - /{,usr/}bin/{,ba,da}sh r, + @{bin}/{,ba,da}sh r, - /{,usr/}bin/tr rix, - /{,usr/}bin/{,e}grep rix, - /{,usr/}bin/tail rix, - /{,usr/}bin/xargs rix, - /{,usr/}bin/sed rix, - /{,usr/}bin/cat rix, + @{bin}/tr rix, + @{bin}/{,e}grep rix, + @{bin}/tail rix, + @{bin}/xargs rix, + @{bin}/sed rix, + @{bin}/cat rix, - /{,usr/}bin/ps rPx, + @{bin}/ps rPx, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/environ r, diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 27b390dee..920e5e52a 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -1,11 +1,12 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{,usr/}bin/ss +@{exec_path} = @{bin}/ss profile ss @{exec_path} { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 8c3f0d107..a71f30211 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -3,39 +3,23 @@ acpid attach_disconnected,complain agetty complain -akonadi_agent_launcher complain -akonadi_agent_server complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain -akonadi_ews_resource complain -akonadi_ewsmta_resource complain +akonadi_contacts_resource complain +akonadi_control complain akonadi_followupreminder_agent complain -akonadi_google_resource complain akonadi_ical_resource complain -akonadi_icaldir_resource complain -akonadi_imap_resource complain akonadi_indexing_agent complain -akonadi_knut_resource complain -akonadi_kolab_resource complain akonadi_maildir_resource complain akonadi_maildispatcher_agent complain akonadi_mailfilter_agent complain akonadi_mailmerge_agent complain -akonadi_mbox_resource complain akonadi_migration_agent complain -akonadi_mixedmaildir_resource complain akonadi_newmailnotifier_agent complain akonadi_notes_agent complain -akonadi_notes_resource complain -akonadi_openxchange_resource complain -akonadi_pop3_resource complain -akonadi_rds complain akonadi_sendlater_agent complain -akonadi_tomboynotes_resource complain akonadi_unifiedmailbox_agent complain -akonadi_vcard_resource complain -akonadi_vcarddir_resource complain anacron complain atd complain atril-previewer complain @@ -50,6 +34,7 @@ avahi-set-host-name complain baloo complain busctl complain cc-remote-login-helper complain +kiod5 complain cfdisk complain cgdisk complain child-open complain @@ -89,6 +74,7 @@ dolphin complain downloadhelper complain drkonqi complain e2fsck complain +epiphany-webapp-provider complain etckeeper complain evince complain evince-previewer complain