From 033807c6cd6ac44bd2460bb0c3c6b38530c652c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:32:57 +0200 Subject: [PATCH] feat(profile): add dpkg-script-tmp. --- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/dpkg-architecture | 9 ++-- apparmor.d/groups/apt/dpkg-db-backup | 42 +++++++++++++++ apparmor.d/groups/apt/dpkg-maintscript-helper | 6 +-- apparmor.d/groups/apt/dpkg-script-tmp | 53 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-vendor | 1 - dists/flags/main.flags | 2 + 7 files changed, 104 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-db-backup create mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 63dfdaf52..0994006da 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -21,7 +21,7 @@ profile deb-systemd-invoke @{exec_path} { @{sh_path} rix, @{bin}/systemctl rix, - @{bin}/systemd-tty-ask-password-agent rPx, + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index a58257271..b1a23f222 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -16,10 +16,9 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, - /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, + @{lib}/llvm-[0-9]*/bin/clang ix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -28,9 +27,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - # file_inherit - owner @{tmp}/* rw, - + audit owner @{tmp}/* rw, profile ccache { include diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup new file mode 100644 index 000000000..d83bdbb45 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dpkg/dpkg-db-backup +profile dpkg-db-backup @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/gzip rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/tar rix, + @{bin}/touch rix, + + /usr/share/dpkg/{,**} r, + + /var/lib/dpkg/ r, + /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/statoverride r, + + /var/backups/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index b7d8675e8..dfb881e32 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -13,9 +13,9 @@ profile dpkg-maintscript-helper @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dpkg rCx -> dpkg, + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, /usr/share/dpkg/sh/* r, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp new file mode 100644 index 000000000..e6c7fbe44 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} +profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/kmod Cx -> kmod, + @{bin}/systemctl Cx -> systemctl, + + /etc/kernel/preinst.d/*-microcode ix, + + @{lib}/modules/*/.fresh-install w, + + profile kmod { + include + include + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index aee717257..70d2199f2 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -13,7 +13,6 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9aa61f15b..aa62f9108 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,11 +86,13 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-db-backup complain dpkg-maintscript-helper complain dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain +dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain