From 0572688c592a181b4b35b7e29573302d3b3718b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:27:06 +0200 Subject: [PATCH] feat(profile): small general upgrade. --- .../groups/systemd-service/dmesg.service | 1 + .../groups/systemd-service/man-db.service | 2 ++ apparmor.d/groups/ubuntu/esm_cache | 19 +++++++++++++++++++ apparmor.d/groups/ubuntu/update-manager | 6 +++--- apparmor.d/groups/usb/lsusb | 2 ++ apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/profiles-a-f/e2scrub_all | 1 + apparmor.d/profiles-g-l/gitstatusd | 5 +++++ apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hddtemp | 18 +++--------------- apparmor.d/profiles-g-l/ischroot | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo | 6 +++--- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pycompile | 9 +++------ apparmor.d/profiles-m-r/rsyslogd | 7 ++++--- apparmor.d/profiles-s-z/update-initramfs | 3 +++ apparmor.d/profiles-s-z/whiptail | 2 ++ 18 files changed, 57 insertions(+), 34 deletions(-) create mode 100644 apparmor.d/groups/ubuntu/esm_cache diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service index 4c67f680a..0a46f6ed9 100644 --- a/apparmor.d/groups/systemd-service/dmesg.service +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -17,6 +17,7 @@ profile dmesg.service flags=(attach_disconnected) { capability chown, capability fsetid, + capability sys_admin, ptrace read peer=@{p_systemd}, diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service index 24b34fc25..c3bfa7c32 100644 --- a/apparmor.d/groups/systemd-service/man-db.service +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete # ExecStart=/usr/bin/mandb --quiet abi , @@ -13,6 +14,7 @@ profile man-db.service flags=(attach_disconnected) { include include + @{bin}/find ix, @{bin}/install ix, @{bin}/mandb r, diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache new file mode 100644 index 000000000..2596d6c12 --- /dev/null +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +profile esm_cache @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index e1636c6d5..0e0dcdb0b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index f824343d6..b5a24940d 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -21,6 +21,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + /dev/bus/usb/@{int}/@{int} w, + include if exists } diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index dbe561ab6..1e4850e7a 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/{,e}grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 0079053e0..e5d13f1de 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -12,6 +12,7 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include + capability setuid, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index a62ce7fde..8901ade9c 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -9,6 +9,9 @@ include @{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include + include + + signal receive set=term peer=*//shell, @{exec_path} mr, @@ -18,6 +21,8 @@ profile gitstatusd @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, + # Silencer deny capability dac_read_search, deny capability dac_override, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 779dd8e67..719625dbd 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -16,7 +16,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e96a45237..55d2abb5d 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -10,32 +10,20 @@ include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include + include + include - # To remove the following errors: - # /dev/sda: Permission denied + capability sys_admin, capability sys_rawio, - # There's the following error in strace: - # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) - # This should be covered by CAP_SYS_RAWIO instead. - # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) - # It looks like hddtemp works just fine without it. - deny capability sys_admin, - network inet stream, network inet6 stream, @{exec_path} mr, - # Monitored hard drives - /dev/sd[a-z]* r, - # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, - # Needed when the hddtemp daemon is started in the TCP/IP mode - /etc/gai.conf r, - include if exists } diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index 4e087343a..8c18782f9 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -13,6 +13,8 @@ profile ischroot @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /var/lib/update-notifier/tmp.@{rand10} w, + @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 1c3c98d52..5eb5dac06 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -27,9 +27,9 @@ profile landscape-sysinfo @{exec_path} { @{bin}/who rix, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/ w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc.@{u64} w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /var/log/landscape/{,**} rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 8cc8a65e1..b21642cf8 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -13,6 +13,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -109,7 +110,6 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 9b3525fa5..82465ceb2 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include + include capability dac_read_search, capability sys_ptrace, @@ -27,7 +28,6 @@ profile needrestart-notify @{exec_path} { /etc/needrestart/notify.conf r, @{PROC}/@{pid}/environ r, - @{PROC}/filesystems r, include if exists } diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 984fcf03c..b684c3094 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -21,12 +21,9 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - @{lib}/@{python_name}/dist-packages/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, /usr/share/python3/{,**} r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 80d75a928..ede981f58 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,11 +12,12 @@ profile rsyslogd @{exec_path} { include include - capability chown, # For creating new log files and changing their owner/group - capability net_admin, # For remote logs - capability setgid, # For downgrading privileges + capability dac_override, + capability dac_read_search, + capability setgid, capability setuid, capability sys_nice, + capability sys_tty_config, capability syslog, network inet dgram, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index f9e47cb52..472de3343 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -28,12 +28,15 @@ profile update-initramfs @{exec_path} { @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, + @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, + /etc/initramfs/post-update.d/* rPUx, + /var/lib/initramfs-tools/* w, # For shell pwd diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index f0efad77b..a42a63312 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -18,6 +18,8 @@ profile whiptail @{exec_path} { /usr/share/terminfo/** r, + /etc/newt/palette.* r, + include if exists }