openSUSE profile additions

[cboltz]

I have some more profile additions on openSUSE: apparmor-2023-09-05.txt

[roddhjav]

Thanks. They should be integrated now.
I figured out that some of the rules were already the project ;)

[roddhjav]

I was wondering, my experience with rpm package is very limited, do you know if there is a way to build your package from local source instead of using a git talbar . This is the default for debian and very easy to do for arch, but I don't find a clean way for opensuse.

Edit: found the solution.

[cboltz]

A month later, I have some more profile additions: aa-2023-10-09.txt

[cboltz]

Oh, and the git profile doesn't cover the binary path used on Tumbleweed: /usr/libexec/git/git

You'll also need to update the profiles that allow to exec git - a quick grep lists etckeeper, hugo, onefetch, pass, repo and youtube-dl.

[roddhjav]

Thanks, there are less logs that may be a good sign ;)

[cboltz]

Indeed :-)

I see you edited away your question about git, but I'll answer it anyway ;-)

cb@tux:~> ls -l /usr/bin/git* | grep ^l
lrwxrwxrwx 1 root root       18 26. Sep 22:17 /usr/bin/git -> ../libexec/git/git*
lrwxrwxrwx 1 root root       28 26. Sep 22:17 /usr/bin/git-cvsserver -> ../libexec/git/git-cvsserver*
lrwxrwxrwx 1 root root       18 26. Sep 22:17 /usr/bin/git-receive-pack -> ../libexec/git/git*
lrwxrwxrwx 1 root root       24 26. Sep 22:17 /usr/bin/git-shell -> ../libexec/git/git-shell*
lrwxrwxrwx 1 root root       18 26. Sep 22:17 /usr/bin/git-upload-archive -> ../libexec/git/git*
lrwxrwxrwx 1 root root        3 26. Sep 22:17 /usr/bin/git-upload-pack -> git*

[roddhjav]

The rule should be integrated now.

Do we agree that:

1. In xrdb : @{lib}/gcc/@{multiarch}/@{int}*/cc1 should catch /usr/lib64/gcc/x86_64-suse-linux/13/cc1 ?
2. In kded5: @{user_share_dirs}/kcookiejar/cookies.IsPUUI rk -> @{user_share_dirs}/kcookiejar/#24084753, is caught by:

   apparmor.d/apparmor.d/groups/kde/kded5

   Lines 110 to 112 in f5e3c86

   	owner @{user_share_dirs}/kcookiejar/#@{int} rw,
   	owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
   	owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},

[cboltz]

I'm afraid I can't really agree ;-)

@{multiarch} is defined as @{multiarch}=*-linux-gnu* which does not match x86_64-suse-linux

kded5 also still gives me denials even with the rules you mentioned in place: apparmor="ALLOWED" operation="link" class="file" profile="kded5" name="/home/cb/.local/share/kcookiejar/cookies.TCNciF" pid=4792 comm="kded5" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="/home/cb/.local/share/kcookiejar/#24111969" (but I'm not sure what's wrong with the existing rules - at least on a quick look they should match)

Also, the git profile still doesn't match the path on Tumbleweed (/usr/libexec/git/git). Note that the allowed paths only allow .../git-core/git, but not .../git/git.

For some more boring denials, see the attached apparmor-2023-10-12.txt

[roddhjav]

@{multiarch} is defined as @{multiarch}=*-linux-gnu* which does not match x86_64-suse-linux

Good point. I am wondering if in this case, @{multiarch} should be set to something like @{multiarch}=*-linux-gnu* *suse-linux* on opensuse. Because it seems to be a logical use of the @{multiarch} variable.

Also, the git profile still doesn't match the path on Tumbleweed

My bad, I forgot to commit my changes... This is pushed now.

[cboltz]

Extending @{multiarch} is an interesting idea. Give me a few days to think about it ;-)

In the meantime, I can offer some new denials, mostly for update-ca-certificates (probably triggered while restarting unbound, I started to create a profile for it): apparmor-2023-10-20.txt

[cboltz]

Some more additions: apparmor-2023-10-22.txt