From cbae94af1b9372da3f764fbdf5ce4f9b82ca96a3 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Fri, 5 Oct 2018 10:08:07 +0200 Subject: [PATCH] committing changes in /etc after apt run Package changes: -apparmor 2.12-4ubuntu5 amd64 -apparmor-profiles 2.12-4ubuntu5 all -apparmor-utils 2.12-4ubuntu5 amd64 +apparmor 2.12-4ubuntu5.1 amd64 +apparmor-profiles 2.12-4ubuntu5.1 all +apparmor-utils 2.12-4ubuntu5.1 amd64 -firefox 62.0+linuxmint1+tara amd64 -firefox-locale-de 62.0+linuxmint1+tara amd64 -firefox-locale-en 62.0+linuxmint1+tara amd64 +firefox 62.0.3+linuxmint1+tara amd64 +firefox-locale-de 62.0.3+linuxmint1+tara amd64 +firefox-locale-en 62.0.3+linuxmint1+tara amd64 -imagemagick 8:6.9.7.4+dfsg-16ubuntu6.3 amd64 -imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.3 all -imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.3 amd64 +imagemagick 8:6.9.7.4+dfsg-16ubuntu6.4 amd64 +imagemagick-6-common 8:6.9.7.4+dfsg-16ubuntu6.4 all +imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.4 amd64 -libapparmor1 2.12-4ubuntu5 amd64 +libapparmor1 2.12-4ubuntu5.1 amd64 -libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.3 amd64 -libmagickwand-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.3 amd64 +libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.4 amd64 +libmagickwand-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.4 amd64 -python3-apparmor 2.12-4ubuntu5 amd64 +python3-apparmor 2.12-4ubuntu5.1 amd64 -python3-libapparmor 2.12-4ubuntu5 amd64 +python3-libapparmor 2.12-4ubuntu5.1 amd64 --- ImageMagick-6/policy.xml | 5 ++++ apparmor.d/abstractions/private-files | 19 ++++++++------ apparmor.d/abstractions/private-files-strict | 25 +++++++++++-------- .../abstractions/ubuntu-browsers.d/user-files | 9 ++++--- 4 files changed, 36 insertions(+), 22 deletions(-) diff --git a/ImageMagick-6/policy.xml b/ImageMagick-6/policy.xml index e3dd4d7..7a5658a 100644 --- a/ImageMagick-6/policy.xml +++ b/ImageMagick-6/policy.xml @@ -70,4 +70,9 @@ + + + + + diff --git a/apparmor.d/abstractions/private-files b/apparmor.d/abstractions/private-files index 3149b0d..0a659f1 100644 --- a/apparmor.d/abstractions/private-files +++ b/apparmor.d/abstractions/private-files @@ -13,13 +13,18 @@ deny @{HOME}/.*.bak mrwkl, # special attention to (potentially) executable files - audit deny @{HOME}/bin/** wl, - audit deny @{HOME}/.config/autostart/** wl, - audit deny @{HOME}/.config/upstart/** wl, - audit deny @{HOME}/.init/** wl, - audit deny @{HOME}/.kde{,4}/Autostart/** wl, - audit deny @{HOME}/.kde{,4}/env/** wl, - audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl, + audit deny @{HOME}/bin/{,**} wl, + audit deny @{HOME}/.config/ w, + audit deny @{HOME}/.config/autostart/{,**} wl, + audit deny @{HOME}/.config/upstart/{,**} wl, + audit deny @{HOME}/.init/{,**} wl, + audit deny @{HOME}/.kde{,4}/ w, + audit deny @{HOME}/.kde{,4}/Autostart/{,**} wl, + audit deny @{HOME}/.kde{,4}/env/{,**} wl, + audit deny @{HOME}/.local/{,share/} w, + audit deny @{HOME}/.local/share/thumbnailers/{,**} wl, + audit deny @{HOME}/.pki/ w, + audit deny @{HOME}/.pki/nssdb/{,*.so{,.[0-9]*}} wl, # don't allow reading/updating of run control files deny @{HOME}/.*rc mrk, diff --git a/apparmor.d/abstractions/private-files-strict b/apparmor.d/abstractions/private-files-strict index 91851b8..60ea72a 100644 --- a/apparmor.d/abstractions/private-files-strict +++ b/apparmor.d/abstractions/private-files-strict @@ -5,17 +5,20 @@ #include # potentially extremely sensitive files - audit deny @{HOME}/.gnupg/** mrwkl, - audit deny @{HOME}/.ssh/** mrwkl, - audit deny @{HOME}/.gnome2_private/** mrwkl, - audit deny @{HOME}/.gnome2/keyrings/** mrwkl, + audit deny @{HOME}/.gnupg/{,**} mrwkl, + audit deny @{HOME}/.ssh/{,**} mrwkl, + audit deny @{HOME}/.gnome2_private/{,**} mrwkl, + audit deny @{HOME}/.gnome2/ w, + audit deny @{HOME}/.gnome2/keyrings/{,**} mrwkl, # don't allow access to any gnome-keyring modules audit deny /{,var/}run/user/[0-9]*/keyring** mrwkl, - audit deny @{HOME}/.mozilla/** mrwkl, - audit deny @{HOME}/.config/chromium/** mrwkl, - audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl, - audit deny @{HOME}/.evolution/** mrwkl, - audit deny @{HOME}/.config/evolution/** mrwkl, - audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/** mrwkl, - audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl, + audit deny @{HOME}/.mozilla/{,**} mrwkl, + audit deny @{HOME}/.config/ w, + audit deny @{HOME}/.config/chromium/{,**} mrwkl, + audit deny @{HOME}/.config/evolution/{,**} mrwkl, + audit deny @{HOME}/.evolution/{,**} mrwkl, + audit deny @{HOME}/.{,mozilla-}thunderbird/{,**} mrwkl, + audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, + audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl, + audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, diff --git a/apparmor.d/abstractions/ubuntu-browsers.d/user-files b/apparmor.d/abstractions/ubuntu-browsers.d/user-files index 2b28d13..ffe6824 100644 --- a/apparmor.d/abstractions/ubuntu-browsers.d/user-files +++ b/apparmor.d/abstractions/ubuntu-browsers.d/user-files @@ -8,12 +8,13 @@ # Do not allow read and/or write to particularly sensitive/problematic files #include - audit deny @{HOME}/.ssh/** mrwkl, - audit deny @{HOME}/.gnome2_private/** mrwkl, - audit deny @{HOME}/.kde{,4}/share/apps/kwallet/** mrwkl, + audit deny @{HOME}/.ssh/{,**} mrwkl, + audit deny @{HOME}/.gnome2_private/{,**} mrwkl, + audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w, + audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl, # Comment this out if using gpg plugin/addons - audit deny @{HOME}/.gnupg/** mrwkl, + audit deny @{HOME}/.gnupg/{,**} mrwkl, # Allow read to all files user has DAC access to and write for files the user # owns on removable media and filesystems. -- 2.39.5