From 25d6ba7bc127ab1e114774fe922d8128049e7eb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Droz?= Date: Tue, 26 Apr 2022 11:42:55 -0300 Subject: [PATCH 1/2] Update opt.zoom.ZoomLauncher Removed some permissions (5.9.6.2225 keeps running) and added a couple of other socket-related. --- opt.zoom.ZoomLauncher | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/opt.zoom.ZoomLauncher b/opt.zoom.ZoomLauncher index af57fa8..71027b5 100644 --- a/opt.zoom.ZoomLauncher +++ b/opt.zoom.ZoomLauncher @@ -1,7 +1,7 @@ # Last Modified: Mon Apr 25 22:40:23 2022 include -/opt/zoom/ZoomLauncher flags=(complain) { +/opt/zoom/ZoomLauncher { include include include @@ -17,16 +17,18 @@ include include include - dbus (receive send) bus=accessibility, + # dbus (receive send) bus=accessibility, dbus receive bus=session interface=org.a11y.atspi**, dbus receive bus=system path=/org/freedesktop/NetworkManager, dbus send bus=session peer=(name=org.a11y.Bus), dbus send bus=system path=/org/freedesktop/NetworkManager member=state, + dbus (send, receive) bus=system path=/org/freedesktop/NetworkManager/Settings, signal receive peer=unconfirmed, signal send set=usr2 peer=/usr/bin/pacmd, deny ptrace read peer=/usr/bin/pidof, + deny ptrace read peer=pidof, deny ptrace trace, ptrace read peer=/opt/zoom/QtWebEngineProcess, @@ -35,6 +37,9 @@ include deny @{HOME}/.Private mrwlk, deny @{PROC}/[0-9]*/cmdline mrwlk, + network netlink dgram, + unix (bind) type=dgram, + /dev/dri/ r, /dev/tty rw, /dev/video[0-9] mrw, @@ -78,7 +83,7 @@ include /usr/bin/mkfifo rUx, # investigate /usr/bin/pacmd ix, /usr/bin/pactl ix, - /usr/bin/pidof Ux, + deny /usr/bin/pidof x, /usr/bin/xdg-open rUx, /usr/share/fontconfig/conf.avail/** r, /usr/share/fonts/truetype/** mr, @@ -89,20 +94,23 @@ include /usr/share/themes/Default/gtk-3.0/gtk-keys.css r, /var/lib/flatpak/exports/share/mime/mime.cache m, /{,usr/}bin/cat ix, - /{,usr/}bin/dash ix, - /{,usr/}bin/grep ix, - /{,usr/}bin/ps rUx, - /{,usr/}bin/readlink ix, + deny /{,usr/}bin/dash x, + deny /{,usr/}bin/ps x, + deny /{,usr/}bin/grep x, + deny /{,usr/}bin/readlink x, /{,usr/}bin/uname rUx, /{,usr/}sbin/killall5 ix, @{PROC} r, @{PROC}/@{pid}/oom_score_adj w, + @{PROC}/@{pid}/setgroups w, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/task/* r, + @{PROC}/@{pid}/task/comm rw, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, - @{PROC}/[0-9]*/net/wireless r, + # @{PROC}/[0-9]*/net/wireless r, @{PROC}/bus/pci/devices r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, @{PROC}/sys/kernel/osrelease r, @@ -123,8 +131,6 @@ include owner @{HOME}/.cache/zoom/qmlcache/ mrwk, owner @{HOME}/.cache/zoom/qmlcache/** mrwk, owner @{HOME}/.config/.@{pid} rwk, - owner @{HOME}/.config/.J* rwk, - owner @{HOME}/.config/.T* rwk, owner @{HOME}/.config/QtProject.conf r, owner @{HOME}/.config/dconf/user rw, owner @{HOME}/.config/gtk-3.0/settings.ini r, @@ -144,8 +150,10 @@ include owner @{HOME}/Documents/Zoom/ rwk, owner @{HOME}/Documents/Zoom/** rwk, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + owner /{,var/}run/user/[0-9]*/pulse/cli rw, + # Zoom 5.10.x + # capability sys_admin, profile lsb_release { include From 8068106cba22350f9f2faf4c26a2da3ad9f475ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Droz?= Date: Tue, 26 Apr 2022 11:47:53 -0300 Subject: [PATCH 2/2] aa-cleanprof --- opt.zoom.ZoomLauncher | 63 +++++++++++++++++++++---------------------- 1 file changed, 30 insertions(+), 33 deletions(-) diff --git a/opt.zoom.ZoomLauncher b/opt.zoom.ZoomLauncher index 71027b5..ca1049c 100644 --- a/opt.zoom.ZoomLauncher +++ b/opt.zoom.ZoomLauncher @@ -1,28 +1,29 @@ -# Last Modified: Mon Apr 25 22:40:23 2022 -include +# Last Modified: Tue Apr 26 11:45:27 2022 +#include /opt/zoom/ZoomLauncher { - include - include - include - include - include - include - include - include - include - include - include - include - include - include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include - # dbus (receive send) bus=accessibility, + network netlink dgram, + + dbus (receive send) bus=system path=/org/freedesktop/NetworkManager/Settings, dbus receive bus=session interface=org.a11y.atspi**, dbus receive bus=system path=/org/freedesktop/NetworkManager, dbus send bus=session peer=(name=org.a11y.Bus), dbus send bus=system path=/org/freedesktop/NetworkManager member=state, - dbus (send, receive) bus=system path=/org/freedesktop/NetworkManager/Settings, signal receive peer=unconfirmed, signal send set=usr2 peer=/usr/bin/pacmd, @@ -34,12 +35,16 @@ include ptrace read peer=/opt/zoom/QtWebEngineProcess, ptrace read peer=/usr/bin/pacmd, + unix (bind) type=dgram, + + deny /usr/bin/pidof x, + deny /{,usr/}bin/dash x, + deny /{,usr/}bin/grep x, + deny /{,usr/}bin/ps x, + deny /{,usr/}bin/readlink x, deny @{HOME}/.Private mrwlk, deny @{PROC}/[0-9]*/cmdline mrwlk, - network netlink dgram, - unix (bind) type=dgram, - /dev/dri/ r, /dev/tty rw, /dev/video[0-9] mrw, @@ -83,7 +88,6 @@ include /usr/bin/mkfifo rUx, # investigate /usr/bin/pacmd ix, /usr/bin/pactl ix, - deny /usr/bin/pidof x, /usr/bin/xdg-open rUx, /usr/share/fontconfig/conf.avail/** r, /usr/share/fonts/truetype/** mr, @@ -94,23 +98,18 @@ include /usr/share/themes/Default/gtk-3.0/gtk-keys.css r, /var/lib/flatpak/exports/share/mime/mime.cache m, /{,usr/}bin/cat ix, - deny /{,usr/}bin/dash x, - deny /{,usr/}bin/ps x, - deny /{,usr/}bin/grep x, - deny /{,usr/}bin/readlink x, /{,usr/}bin/uname rUx, /{,usr/}sbin/killall5 ix, @{PROC} r, + @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/oom_score_adj w, @{PROC}/@{pid}/setgroups w, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/comm r, @{PROC}/@{pid}/task/* r, @{PROC}/@{pid}/task/comm rw, @{PROC}/[0-9]*/net/dev r, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, - # @{PROC}/[0-9]*/net/wireless r, @{PROC}/bus/pci/devices r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, @{PROC}/sys/kernel/osrelease r, @@ -119,6 +118,7 @@ include owner "@{HOME}/.config/Unknown Organization/**" rwk, owner /dev/shm/.org.chromium.Chromium* mrw, owner /{,var/}run/user/*/dconf/user rw, + owner /{,var/}run/user/[0-9]*/pulse/cli rw, owner @{HOME}/.cache/mesa_shader_cache/ rw, owner @{HOME}/.cache/mesa_shader_cache/** rwk, owner @{HOME}/.cache/mesa_shader_cache/index mrw, @@ -151,13 +151,10 @@ include owner @{HOME}/Documents/Zoom/** rwk, owner @{PROC}/@{pid}/fd/ r, - owner /{,var/}run/user/[0-9]*/pulse/cli rw, - # Zoom 5.10.x - # capability sys_admin, profile lsb_release { - include - include + #include + #include deny /tmp/gtalkplugin.log w,