Hi, intrigeri: > I've upgraded my system to 4.14 and had to adjust no less than 7 profiles > *after* applying Christian's patch to abstractions/nameservice.
> They're spread over multiple source packages but I figured it would be > nice to at least share my tweaks (attached) so anyone affected can > temporarily apply them locally, and everyone who wants can start > pushing them to the correct upstream / source package. Here's a more up-to-date dump. The torbrowser profile changes probably need to be redone (somewhat from scratch) on top of the one that's in sid: I'm not running the profile shipped in Debian currently, but something stricter that I've sent a PR upstream for. Other than that, everything in there should be ready to be pushed to the relevant place. Cheers, -- intrigeri
diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor index 15601a4a..5e494adc 100644 --- a/apparmor.d/abstractions/tor +++ b/apparmor.d/abstractions/tor @@ -6,6 +6,8 @@ network tcp, network udp, + network unix dgram, + capability chown, capability dac_read_search, capability fowner, diff --git a/apparmor.d/libvirt/TEMPLATE.qemu b/apparmor.d/libvirt/TEMPLATE.qemu index c2f6aa2e..e11b6219 100644 --- a/apparmor.d/libvirt/TEMPLATE.qemu +++ b/apparmor.d/libvirt/TEMPLATE.qemu @@ -7,6 +7,8 @@ profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { #include <abstractions/libvirt-qemu> + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + --- a/apparmor.d/sbin.dhclient +++ b/apparmor.d/sbin.dhclient @@ -16,6 +16,9 @@ profile dhclient /{usr/,}sbin/dhclient { network packet, network raw, + network unix dgram, + network unix stream, + @{PROC}/[0-9]*/net/ r, @{PROC}/[0-9]*/net/** r, diff --git a/apparmor.d/torbrowser.Browser.firefox b/apparmor.d/torbrowser.Browser.firefox index 1d6421e7..0548cc00 100644 --- a/apparmor.d/torbrowser.Browser.firefox +++ b/apparmor.d/torbrowser.Browser.firefox @@ -10,8 +10,15 @@ # @{HOME}/ r, #dbus, + network netlink raw, network tcp, + network unix seqpacket, + + ptrace (trace) peer=torbrowser_plugin_container, + + signal (send) set=("term") peer=torbrowser_plugin_container, + deny /etc/host.conf r, deny /etc/hosts r, deny /etc/nsswitch.conf r, diff --git a/apparmor.d/torbrowser.Browser.plugin-container b/apparmor.d/torbrowser.Browser.plugin-container index 12140448..5169f866 100644 --- a/apparmor.d/torbrowser.Browser.plugin-container +++ b/apparmor.d/torbrowser.Browser.plugin-container @@ -13,6 +13,10 @@ profile torbrowser_plugin_container { # owner @{PROC}/@{pid}/fd/ r, # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw, + signal (receive) set=("term") peer=/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox, + + unix (receive, send) type=seqpacket, + deny /etc/host.conf r, deny /etc/hosts r, deny /etc/nsswitch.conf r, @@ -24,6 +28,9 @@ profile torbrowser_plugin_container { deny /etc/machine-id r, deny /var/lib/dbus/machine-id r, + /etc/mime.types r, + /usr/share/applications/gnome-mimeapps.list r, + owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/status r, diff --git a/apparmor.d/usr.bin.pulseaudio b/apparmor.d/usr.bin.pulseaudio index 20d5bc25..2817ab55 100644 --- a/apparmor.d/usr.bin.pulseaudio +++ b/apparmor.d/usr.bin.pulseaudio @@ -25,6 +25,8 @@ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), ptrace (read,trace) peer=@{profile_name}, + network unix dgram, + /usr/bin/pulseaudio mixr, /etc/pulse/ r, diff --git a/apparmor.d/usr.sbin.cupsd b/apparmor.d/usr.sbin.cupsd index 053d1c1f..ca884e2d 100644 --- a/apparmor.d/usr.sbin.cupsd +++ b/apparmor.d/usr.sbin.cupsd @@ -47,6 +47,8 @@ network econet dgram, network ash dgram, + network unix stream, + /{usr/,}bin/bash ixr, /{usr/,}bin/dash ixr, /{usr/,}bin/hostname ixr, diff --git a/apparmor.d/usr.sbin.haveged b/apparmor.d/usr.sbin.haveged index 0e611388..ad1bee6d 100644 --- a/apparmor.d/usr.sbin.haveged +++ b/apparmor.d/usr.sbin.haveged @@ -7,6 +7,8 @@ # Required for ioctl RNDADDENTROPY capability sys_admin, + network unix stream, + owner @{PROC}/@{pid}/status r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd index 4c4a751c..9d7b7e95 100644 --- a/apparmor.d/usr.sbin.libvirtd +++ b/apparmor.d/usr.sbin.libvirtd @@ -30,6 +30,8 @@ # Needed for vfio capability sys_resource, + mount, + network inet stream, network inet dgram, network inet6 stream, @@ -37,9 +39,17 @@ network packet dgram, network packet raw, + network netlink raw, + network unix dgram, + network unix stream, + ptrace (trace) peer=unconfined, ptrace (trace) peer=/usr/sbin/libvirtd, ptrace (trace) peer=libvirt-*, + ptrace (trace) peer=/usr/sbin/dnsmasq, + + signal (send) set=("hup") peer=/usr/sbin/dnsmasq, + signal (send) set=("term") peer=libvirt-*, # Very lenient profile for libvirtd since we want to first focus on confining # the guests. Guests will have a very restricted profile.