feat(profile): small general upgrade.

2025-06-21 20:27:06 +02:00 · 2025-06-21 20:27:06 +02:00 · 0572688c59
commit 0572688c59
parent f8250f7e0c
18 changed files with 57 additions and 34 deletions
--- a/apparmor.d/groups/systemd-service/dmesg.service
+++ b/apparmor.d/groups/systemd-service/dmesg.service
@ -17,6 +17,7 @@ profile dmesg.service flags=(attach_disconnected) {

  capability chown,
  capability fsetid,
+  capability sys_admin,

  ptrace read peer=@{p_systemd},

--- a/apparmor.d/groups/systemd-service/man-db.service
+++ b/apparmor.d/groups/systemd-service/man-db.service
@ -3,6 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only

 # ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man
+# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete
 # ExecStart=/usr/bin/mandb --quiet

 abi <abi/4.0>,
@ -13,6 +14,7 @@ profile man-db.service flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

+  @{bin}/find     ix,
  @{bin}/install  ix,
  @{bin}/mandb    r,

--- a/apparmor.d/groups/ubuntu/esm_cache
+++ b/apparmor.d/groups/ubuntu/esm_cache
@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py
+profile esm_cache @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  include if exists <local/esm_cache>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  @{bin}/uname                    rix,
  @{lib}/apt/methods/http{,s}     rPx,

-  @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
-  @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
-  @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
+  @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,
+  @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,
+  @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,

  /usr/share/distro-info/{,**} r,
  /usr/share/ubuntu-release-upgrader/{,**} r,
--- a/apparmor.d/groups/usb/lsusb
+++ b/apparmor.d/groups/usb/lsusb
@ -21,6 +21,8 @@ profile lsusb @{exec_path} {

  /etc/udev/hwdb.bin r,

+  /dev/bus/usb/@{int}/@{int} w,
+
  include if exists <local/lsusb>
 }

--- a/apparmor.d/groups/whonix/sdwdate
+++ b/apparmor.d/groups/whonix/sdwdate
@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) {
  @{bin}/touch                          rix,
  @{lib}/helper-scripts/*               rix,
  @{bin}/url_to_unixtime                rix,
-  @{bin}/{,e}grep rix,
+  @{bin}/{,e}grep                       rix,

  @{lib}/helper-scripts/ r,
  @{lib}/sdwdate/ r,
--- a/apparmor.d/profiles-a-f/e2scrub_all
+++ b/apparmor.d/profiles-a-f/e2scrub_all
@ -12,6 +12,7 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) {
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>

+  capability setuid,
  capability sys_admin,
  capability sys_rawio,

--- a/apparmor.d/profiles-g-l/gitstatusd
+++ b/apparmor.d/profiles-g-l/gitstatusd
@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*}
 profile gitstatusd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
+
+  signal receive set=term peer=*//shell,

  @{exec_path} mr,

@ -18,6 +21,8 @@ profile gitstatusd @{exec_path} {
  owner @{HOME}/.gitconfig r,
  owner @{user_config_dirs}/git/{,*} r,

+  owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r,
+
  # Silencer
  deny capability dac_read_search,
  deny capability dac_override,
--- a/apparmor.d/profiles-g-l/gpu-manager
+++ b/apparmor.d/profiles-g-l/gpu-manager
@ -16,7 +16,7 @@ profile gpu-manager @{exec_path} {

  @{exec_path} mr,

-  @{sh_path}   rix,
+  @{sh_path}       rix,
  @{bin}/{,e}grep  rix,

  /etc/modprobe.d/{,**} r,
--- a/apparmor.d/profiles-g-l/hddtemp
+++ b/apparmor.d/profiles-g-l/hddtemp
@ -10,32 +10,20 @@ include <tunables/global>
@{exec_path} = @{bin}/hddtemp
 profile hddtemp @{exec_path} {
  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>

-  # To remove the following errors:
-  #  /dev/sda: Permission denied
+  capability sys_admin,
  capability sys_rawio,

-  # There's the following error in strace:
-  #  ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied)
-  # This should be covered by CAP_SYS_RAWIO instead.
-  # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst)
-  # It looks like hddtemp works just fine without it.
-  deny capability sys_admin,
-
  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

-  # Monitored hard drives
-  /dev/sd[a-z]* r,
-
  # Database file that allows hddtemp to recognize supported drives
  /etc/hddtemp.db r,

-  # Needed when the hddtemp daemon is started in the TCP/IP mode
-  /etc/gai.conf r,
-
  include if exists <local/hddtemp>
 }

--- a/apparmor.d/profiles-g-l/ischroot
+++ b/apparmor.d/profiles-g-l/ischroot
@ -13,6 +13,8 @@ profile ischroot @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  /var/lib/update-notifier/tmp.@{rand10} w,
+
  @{PROC}/@{pid}/mountinfo r,

  include if exists <local/ischroot>
--- a/apparmor.d/profiles-g-l/landscape-sysinfo
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo
@ -27,9 +27,9 @@ profile landscape-sysinfo @{exec_path} {

  @{bin}/who rix,

-  @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/ w,
-  @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc w,
-  @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc.@{u64} w,
+  @{lib}/@{python_name}/**/__pycache__/ w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w,

  /var/log/landscape/{,**} rw,

--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@ -13,6 +13,7 @@ profile libreoffice @{exec_path} {
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -109,7 +110,6 @@ profile libreoffice @{exec_path} {
        @{sys}/kernel/mm/hugepages/ r,
        @{sys}/kernel/mm/transparent_hugepage/enabled r,
        @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
-        @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,
--- a/apparmor.d/profiles-m-r/needrestart-notify
+++ b/apparmor.d/profiles-m-r/needrestart-notify
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{etc_ro}/needrestart/notify.d/*
 profile needrestart-notify @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability dac_read_search,
  capability sys_ptrace,
@ -27,7 +28,6 @@ profile needrestart-notify @{exec_path} {
  /etc/needrestart/notify.conf r,

  @{PROC}/@{pid}/environ r,
-  @{PROC}/filesystems r,

  include if exists <local/needrestart-notify>
 }
--- a/apparmor.d/profiles-m-r/pycompile
+++ b/apparmor.d/profiles-m-r/pycompile
@ -21,12 +21,9 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) {

  @{bin}/dpkg rCx -> dpkg,

-  @{lib}/@{python_name}/dist-packages/__pycache__/ w,
-  @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w,
-  @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w,
-  @{lib}/@{python_name}/dist-packages/**/__pycache__/ w,
-  @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w,
-  @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w,
+  @{lib}/@{python_name}/**/__pycache__/ w,
+  @{lib}/@{python_name}/**/__pycache__/*.pyc w,
+  @{lib}/@{python_name}/**/__pycache__/*.pyc.* w,

  /usr/share/python3/{,**} r,

--- a/apparmor.d/profiles-m-r/rsyslogd
+++ b/apparmor.d/profiles-m-r/rsyslogd
@ -12,11 +12,12 @@ profile rsyslogd @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

-  capability chown,  # For creating new log files and changing their owner/group
-  capability net_admin,  # For remote logs
-  capability setgid,  # For downgrading privileges
+  capability dac_override,
+  capability dac_read_search,
+  capability setgid,
  capability setuid,
  capability sys_nice,
+  capability sys_tty_config,
  capability syslog,

  network inet dgram,
--- a/apparmor.d/profiles-s-z/update-initramfs
+++ b/apparmor.d/profiles-s-z/update-initramfs
@ -28,12 +28,15 @@ profile update-initramfs @{exec_path} {
  @{bin}/sha1sum       rix,
  @{bin}/sync          rix,
  @{bin}/uname         rix,
+  @{bin}/run-parts     rix,

  @{bin}/dpkg-trigger  rPx,
  @{bin}/ischroot      rPx,
  @{bin}/linux-version rPx,
  @{sbin}/mkinitramfs  rPx,

+  /etc/initramfs/post-update.d/* rPUx,
+
  /var/lib/initramfs-tools/* w,

  # For shell pwd
--- a/apparmor.d/profiles-s-z/whiptail
+++ b/apparmor.d/profiles-s-z/whiptail
@ -18,6 +18,8 @@ profile whiptail @{exec_path} {

  /usr/share/terminfo/** r,

+  /etc/newt/palette.* r,
+
  include if exists <local/whiptail>
 }