Add lxqt desktop group & more

[Besanon]

Adding the lxqt desktop with related programs und falkon browser. Add some initial support for runit init system programs

[roddhjav]

Thanks for your PR.

It will take a bit of time, as I need to setup a new set of test VM for lxqt. But as it looks similar to xfce it should be easy enough. For some context what distribution are you using?

I will also give a quick overview of your profiles and ask for some initial changes. To sum up what I have seen so far you need to:

• Ensure you respect the profile guidelines on all your profile
• Some access need to be restricted. For example:
  • For instance, allowing /tmp/** is generally useless and open door for an attacker to leak outside the confinement
  • Never use @{HOME}/** rw or user-write but user-write-strict
  • @{sys}/devices/@{pci_bus}/**/**/** they can be restricted a lot.
• You need to use the dbus base abstraction (see https://apparmor.pujol.io/development/dbus/#base) instead of upstream one
• You always get a few various spaces between the rule and the access,(eg: /usr/share/qt{5,6}/ r,) it get hard to read, please remove them.
• I will have to check, but I don't think the <abstractions/video> is needed as much as you use it in these profiles.
• All profiles need to end with the following rule: include if exists <local/-profile-name->

Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it.

[Besanon]

Hello Alex,

I am using Archlinux 6/2024 Image and Void Linux. I will have a look at all your replies and add/alter the statements, havent followed all rules so far. The confinement isnt this close, i agree - although the processes  except runit-init are indeed already confined. Yes, you have to rebuild a lot . Runit is a very condensed init system and it took me several days to construct the few profiles to work with all the others - including some hundred from you. The statements are differnt if you choose sddm or just use dbus-run-session to start the desktop.. The confinement of a whole init system is perhaps a bit too much for me, but step by step will do a good wotrk over time. Today i have read about your advice not to confine some basic programs - we should use toolbx instead. Sadly... toolbx depends on systemd(!) Is there any alternative to be used on non-systemd environments? Would be great to have another software for these other init environments. Well, most of the differences regarding the init systems are in the dbus and init programs handling of the Desktop. The session profiles have to be altered. But thats it. Everything else in yur profiles is by far (>95%) working. A severe difference is udiskd which works enforced in Arch but not in Void. I think i will open up another repository which will offer only all profiles which have to be different from your collection to run ALL profiles in the runit init context (so far about 700...750 profiles are running).

Thank you very much for your attention and comments! It will be very useful even for the profiles which will be used in anther init context! 

Regards 

Am 05.06.2024 um 18:23, Alex @.***> schrieb:

Thanks for your PR. It will take a bit of time, as I need to setup a new set of test VM for lxqt. But as it looks similar to xfce it should be easy enough. For some context what distribution are you using? I will also give a quick overview of your profiles and ask for some initial changes. To sum up what I have seen so far you need to:Ensure you respect the profile guidelines on all your profileSome access need to be restricted. For example:For instance, allowing /tmp/ is generally useless and open door for an attacker to leak outside the confinementNever use @{HOME}/ rw or user-write but user-write-strict@{sys}/devices/@{pci_bus}/// they can be restricted a lot.You need to use the dbus base abstraction (see https://apparmor.pujol.io/development/dbus/#base) instead of upstream oneYou always get a few various spaces between the rule and the access,(eg: /usr/share/qt{5,6}/ r,) it get hard to read, please remove them.All profiles need to end with the following rule: include if exists <local/-profile-name-> Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: **@.***>

-- Sent with https://mailfence.com
Secure and private email

[Besanon]

Hello Alex,

there are two points i noticed right from the start in Arch linux (hardened kernel) setup:

dbus                 wants to exec dbus-update-activation-environment sddm-greeter    wants to receive signal from sddm

Regards

Am 05.06.2024 um 18:23, Alex @.***> schrieb:

Thanks for your PR. It will take a bit of time, as I need to setup a new set of test VM for lxqt. But as it looks similar to xfce it should be easy enough. For some context what distribution are you using? I will also give a quick overview of your profiles and ask for some initial changes. To sum up what I have seen so far you need to:Ensure you respect the profile guidelines on all your profileSome access need to be restricted. For example:For instance, allowing /tmp/ is generally useless and open door for an attacker to leak outside the confinementNever use @{HOME}/ rw or user-write but user-write-strict@{sys}/devices/@{pci_bus}/// they can be restricted a lot.You need to use the dbus base abstraction (see https://apparmor.pujol.io/development/dbus/#base) instead of upstream oneYou always get a few various spaces between the rule and the access,(eg: /usr/share/qt{5,6}/ r,) it get hard to read, please remove them.All profiles need to end with the following rule: include if exists <local/-profile-name-> Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: **@.***>

-- Sent with https://mailfence.com
Secure and private email

[Besanon]

Good Morning,

the falkon and elogind profile are adapted.

I have added the formal statements for the other profiles lxqt* and added some more relevant profiles. As far as i can see, there are issues with dbus-update-activation in startlxqt and lxqt-notificationd. All other profiles run without issues after the apatation of the include-statements. aa-log.txt is the result when running everything in complain mode. aa-log2.txt is the result when disabling lxqt-notifiicationd. aa-log3.txt the result when disabling startlxqt (successful login possible). continue testing...

Regards,

Am 06.06.2024 um 12:44, Alex @.***> schrieb:

@roddhjav commented on this pull request. In apparmor.d/groups/lxqt/lxqt-session:> + dbus receive+ bus=session+ path="/org/freedesktop/Notifications"+ interface="org.freedesktop.DBus.Introspectable"+ peer=(name=":[0-9].[0-9]"),+ dbus send+ bus=session+ path="/org/freedesktop/Notifications"+ interface="org.freedesktop.Notifications"+ peer=(name="org.freedesktop.DBus"),+ dbus receive+ bus=session+ path="/org/freedesktop/Notifications"+ interface="org.freedesktop.Notifications"+ peer=(name=":[0-9].[0-9]"), Forgot to add the comment, it should be: #aa:dbus own bus=session name=org.freedesktop.Notifications — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

-- Sent with https://mailfence.com
Secure and private email ALLOWED auditd capable info="optional: no audit" comm=auditd error=-1 capname=fowner capability=3 ALLOWED xorg capable info="optional: no audit" comm=Xorg capname=fowner error=-1 capability=3 ALLOWED unix-chkpwd file_mmap owner  info="Failed name lookup - disconnected path" comm=unix_chkpwd requested_mask=r denied_mask=r error=-13 ALLOWED sddm//systemctl file_inherit owner @{user_share_dirs}/sddm/xorg-session.log comm=systemctl requested_mask=w denied_mask=w ALLOWED lxqt-notificationd file_receive run/systemd/inhibit/2.ref info="Failed name lookup - disconnected path" comm=QDBusConnection requested_mask=w denied_mask=w error=-13

ALLOWED auditd capable info="optional: no audit" comm=auditd error=-1 capability=3 capname=fowner ALLOWED xorg capable info="optional: no audit" comm=Xorg error=-1 capability=3 capname=fowner ALLOWED unix-chkpwd file_mmap owner  info="Failed name lookup - disconnected path" comm=unix_chkpwd requested_mask=r denied_mask=r error=-13 ALLOWED sddm//systemctl file_inherit owner @{user_share_dirs}/sddm/xorg-session.log comm=systemctl requested_mask=w denied_mask=w ALLOWED sddm exec @{bin}/dbus-update-activation-environment -> sddm//null-@{bin}/dbus-update-activation-environment comm=bash requested_mask=x denied_mask=x ALLOWED sddm//null-@{bin}/dbus-update-activation-environment file_inherit owner @{user_share_dirs}/sddm/xorg-session.log comm=dbus-update-act requested_mask=w denied_mask=w ALLOWED sddm//null-@{bin}/dbus-update-activation-environment file_mmap @{bin}/dbus-update-activation-environment comm=dbus-update-act requested_mask=r denied_mask=r ALLOWED startlxqt exec @{bin}/lxqt-session -> @{bin}/lxqt-session info="profile transition not found" comm=startlxqt requested_mask=x denied_mask=x error=-13 ALLOWED sddm-greeter signal comm=sddm-helper requested_mask=receive denied_mask=receive signal=term peer=sddm

ALLOWED auditd capable info="optional: no audit" comm=auditd error=-1 capability=3 capname=fowner ALLOWED xorg capable info="optional: no audit" comm=Xorg error=-1 capability=3 capname=fowner ALLOWED unix-chkpwd file_mmap owner  info="Failed name lookup - disconnected path" comm=unix_chkpwd requested_mask=r denied_mask=r error=-13 ALLOWED sddm//systemctl file_inherit owner @{user_share_dirs}/sddm/xorg-session.log comm=systemctl requested_mask=w denied_mask=w ALLOWED sddm exec @{bin}/dbus-update-activation-environment -> sddm//null-@{bin}/dbus-update-activation-environment comm=bash requested_mask=x denied_mask=x ALLOWED sddm//null-@{bin}/dbus-update-activation-environment file_inherit owner @{user_share_dirs}/sddm/xorg-session.log comm=dbus-update-act requested_mask=w denied_mask=w ALLOWED sddm//null-@{bin}/dbus-update-activation-environment file_mmap @{bin}/dbus-update-activation-environment comm=dbus-update-act requested_mask=r denied_mask=r ALLOWED geoclue file_inherit owner @{user_share_dirs}/sddm/xorg-session.log comm=agent requested_mask=w denied_mask=w ALLOWED dbus-accessibility open owner /tmp/xauth_jcSShq comm=at-spi-bus-laun requested_mask=r denied_mask=r ALLOWED xfs_spaceman capable comm=xfs_spaceman capability=2 capname=dac_read_search

[Besanon]

Hi,

you put the activated processes here, runsv will not claim any more simple, but you have to track this. I will put a comment in this profile to explain this

Am 07.06.2024 um 13:52, Alex @.***> schrieb:

@roddhjav commented on this pull request. In apparmor.d/groups/runit/runsv:> + @{bin}/sv rPx,+ @{bin}/vlogger rPx,+ @{bin}/udevadm rCx -> udevadm, + @{bin}/tlp rPx,+ @{bin}/readlink rix,+ @{bin}/ethtool rix,+ @{bin}/agetty rPx,+ @{bin}/id rPx,+ @{bin}/rsyslogd rPx,+ @{bin}/iw rPx,+ @{bin}/cupsd rPx,+ @{bin}/dhcpcd rPx,+ @{bin}/udevd rPx,+ @{bin}/dbus-daemon rPx,+ @{bin}/auditd rPx,+ @{bin}/chronyd rPx,+ @{bin}/NetworkManager rPx,+ @{bin}/mount rPx,+ @{bin}/sddm rPx,+ @{bin}/pause rix,+ @{bin}/install rix,+ @{bin}/chpst rPx,+ @{bin}/mkdir rix,+ @{bin}/mktemp rix,+ @{bin}/dbus-send rix, # alt: rix+ @{bin}/utmpset rix, # alt: rix+ @{lib}exec/elogind/elogind rPx,+ @{lib}exec/elogind/elogind.wrapper rPx, # alt: rix+ @{bin}/bash rPx, # alt: rix+ @{bin}/tr rPx, # alt:rix+ @{bin}/rm rix,+ @{bin}/touch rix,+ @{bin}/flock rix,+ @{bin}/cat rix,+ @{bin}/grep rPx, # alt:rix+ @{bin}/mountpoint rix,+ @{bin}/systemctl rCx -> systemctl, I don't know runit. Therefore I can't says which process is doing what. But looking at this list, to me it looks like the list of service started by your system. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

-- Sent with https://mailfence.com
Secure and private email

[Besanon]

ok, replaced

Am 07.06.2024 um 13:42, Alex @.***> schrieb:

@roddhjav commented on this pull request. In apparmor.d/groups/browsers/falkon:> + network inet dgram, # essential+ network inet stream, # essential++ network inet6 stream, # Not needed+ network inet6 dgram, # Not needed+ network inet raw, # Not needed+ network inet6 raw, # Not needed+ network netlink raw, # Not needed+ network packet dgram, # Not needed If there are not needed, then do not put them... The following int6 are needed for IPV6: network inet6 dgram, network inet6 stream, — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

-- Sent with https://mailfence.com
Secure and private email

[roddhjav]

Regarding the restriction I asked you (such as @{sys}/devices/@{pci_bus}/**/**/**, /tmp/**...) I would encourage you to first ensure fix your abstractions as a lot of rules are already handled in abstraction such as lxqt, graphics, audio-client, dbus-*, authentication...

dbus wants to exec dbus-update-activation-environment

What dbus profile? there is no such thing as a dbus profile (see https://apparmor.pujol.io/development/dbus/#profiles). Usually this is more found as a subprofile, and it is quite common. See for example: https://github.com/roddhjav/apparmor.d/blob/b66274b2ca4a36873cdf9f7ae5f7ef2133e94b9d/apparmor.d/groups/display-manager/x11-xsession#L109

sddm-greeter wants to receive signal from sddm

This seems normal

the falkon profile is adapted.

Some rules seems taken from firefox/chromium whereas falkon does not seems to be based on either of them.

As far as i can see, there are issues with dbus-update-activation in startlxqt and lxqt-notificationd.

According to your logs. startlxqt and lxqt-notificationd need the attach_disconnected flag.

Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it.

Regarding runit profiles (same for elogind), as I have said, I am not going to merge them.

Also, I would highly recommend you to edit the profile on your system and to push your changes and not directly edit the files on Github. (see "How to contribute" on https://apparmor.pujol.io/development/). It will allow you to add, remove, edit without having to create a commit for every file changed.

[Besanon]

DBUS:

well, ich have send 3 aa-log files with the exact statements i got. sddm, lxqt-session and lxqt-notificationd demanded sometimes

SDDM-Greeter ...complains about this - update of the profiile?

I will put attach_disconnected flag. in the respective profiles.

Ok i am putting elogind in another repository, all well. To my knowledge there is a chromium engine in QtWebkit. I try to restrict the profile more. sorry for the awkward beginning, its my first use of github

Am 07.06.2024 um 14:12, Alex @.***> schrieb:

dbus wants to exec dbus-update-activation-environment What dbus profile? there is no such thing as a dbus profile (see https://apparmor.pujol.io/development/dbus/#profiles). Usually this is more found as a subprofile, and it is quite common. See for example: https://github.com/roddhjav/apparmor.d/blob/b66274b2ca4a36873cdf9f7ae5f7ef2133e94b9d/apparmor.d/groups/display-manager/x11-xsession#L109 sddm-greeter wants to receive signal from sddm This seems normal the falkon profile is adapted. Some rules seems taken from firefox/chromium whereas falkon does not seems to be based on either of them. As far as i can see, there are issues with dbus-update-activation in startlxqt and lxqt-notificationd. According to your logs. startlxqt and lxqt-notificationd need the attach_disconnected flag. Regarding runit profiles I have some doubts. As the init system is closely related to the rest of the system, adding support for another one is a lot of work and I simply don't have the resources for it. Regarding runit profiles (same for elogind), as I have said, I am not going to merge them. Also, I would highly recommend you to edit the profile on your system and to push your changes and not directly edit the files on Github. (see "How to contribute" on https://apparmor.pujol.io/development/). It will allow you to add, remove, edit without having to create a commit for every file changed. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

-- Sent with https://mailfence.com
Secure and private email

[nobody43]

Like already said: abstractions and tunables aren't leveraged, /tmp/{,**}, @{sys} and @{user_config_dirs}/lxqt/** access are too broad. And please edit files of such quantity - in batch locally with git commits. Web edits produce to much notification spam.

[Besanon]

Good Morning,

i have spent some hours to remove the /tmp{,**}, and yes i tried to get into working with github cli but i didn`t succeed so far

xbps-install -S github-cli

mkdir projekte/Besanon cd projekte/Besanon gh repo clone Besanon/apparmor.d cd apparmor.d gh repo set-default Besanon/apparmor.d git checkout -b BesanonLocal

... do some editing in console ...

git commit -a -m "Test" gh auth login --with-token < /opt/mytoken.txt  # mytoken.txt created in github profile git commit -a -m "Test" git push origin Besanonlocal  -> requests user & pw but didn`t accept my credentials (=token???]

Should this be the way to commit changes? Its a very embarassing description in github doku. 

Am 09.06.2024 um 20:31, nobody43 @.***> schrieb:

Like already said: abstractions and tunables aren't leveraged, /tmp/{,} access is too broad. And please edit files of such quantity - in batch locally with git commits. Web edits produce to much notification spam. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: **@.***>

-- Sent with https://mailfence.com
Secure and private email