feat(profile): small general upgrade.

2025-06-21 20:27:06 +02:00 · 2025-06-21 20:27:06 +02:00 · 0572688c59
commit 0572688c59
parent f8250f7e0c
18 changed files with 57 additions and 34 deletions
--- a/apparmor.d/groups/systemd-service/dmesg.service
+++ b/apparmor.d/groups/systemd-service/dmesg.service
@ -17,6 +17,7 @@ profile dmesg.service flags=(attach_disconnected) {
  capability chown,
  capability fsetid,
  capability sys_admin,
  ptrace read peer=@{p_systemd},
--- a/apparmor.d/groups/systemd-service/man-db.service
+++ b/apparmor.d/groups/systemd-service/man-db.service
@ -3,6 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man
 # ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete
 # ExecStart=/usr/bin/mandb --quiet
 abi <abi/4.0>,
@ -13,6 +14,7 @@ profile man-db.service flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  @{bin}/find     ix,
  @{bin}/install  ix,
  @{bin}/mandb    r,
--- a/apparmor.d/groups/ubuntu/esm_cache
+++ b/apparmor.d/groups/ubuntu/esm_cache
@ -0,0 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py
 profile esm_cache @{exec_path} {
  include <abstractions/base>
  include <abstractions/python>
  @{exec_path} mr,
  include if exists <local/esm_cache>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  @{bin}/uname                    rix,
  @{lib}/apt/methods/http{,s}     rPx,
-  @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
+  @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,
-  @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
+  @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,
-  @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw,
+  @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw,
  /usr/share/distro-info/{,**} r,
  /usr/share/ubuntu-release-upgrader/{,**} r,
--- a/apparmor.d/groups/usb/lsusb
+++ b/apparmor.d/groups/usb/lsusb
@ -21,6 +21,8 @@ profile lsusb @{exec_path} {
  /etc/udev/hwdb.bin r,
  /dev/bus/usb/@{int}/@{int} w,
  include if exists <local/lsusb>
 }
--- a/apparmor.d/profiles-a-f/e2scrub_all
+++ b/apparmor.d/profiles-a-f/e2scrub_all
@ -12,6 +12,7 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) {
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
  capability setuid,
  capability sys_admin,
  capability sys_rawio,
--- a/apparmor.d/profiles-g-l/gitstatusd
+++ b/apparmor.d/profiles-g-l/gitstatusd
@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*}
 profile gitstatusd @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  signal receive set=term peer=*//shell,
  @{exec_path} mr,
@ -18,6 +21,8 @@ profile gitstatusd @{exec_path} {
  owner @{HOME}/.gitconfig r,
  owner @{user_config_dirs}/git/{,*} r,
  owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r,
  # Silencer
  deny capability dac_read_search,
  deny capability dac_override,
--- a/apparmor.d/profiles-g-l/hddtemp
+++ b/apparmor.d/profiles-g-l/hddtemp
@ -10,32 +10,20 @@ include <tunables/global>
@{exec_path} = @{bin}/hddtemp
 profile hddtemp @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
-  # To remove the following errors:
+  capability sys_admin,
  #  /dev/sda: Permission denied
  capability sys_rawio,
  # There's the following error in strace:
  #  ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied)
  # This should be covered by CAP_SYS_RAWIO instead.
  # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst)
  # It looks like hddtemp works just fine without it.
  deny capability sys_admin,
  network inet stream,
  network inet6 stream,
  @{exec_path} mr,
  # Monitored hard drives
  /dev/sd[a-z]* r,
  # Database file that allows hddtemp to recognize supported drives
  /etc/hddtemp.db r,
  # Needed when the hddtemp daemon is started in the TCP/IP mode
  /etc/gai.conf r,
  include if exists <local/hddtemp>
 }
--- a/apparmor.d/profiles-g-l/ischroot
+++ b/apparmor.d/profiles-g-l/ischroot
@ -13,6 +13,8 @@ profile ischroot @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /var/lib/update-notifier/tmp.@{rand10} w,
  @{PROC}/@{pid}/mountinfo r,
  include if exists <local/ischroot>
--- a/apparmor.d/profiles-g-l/landscape-sysinfo
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo
@ -27,9 +27,9 @@ profile landscape-sysinfo @{exec_path} {
  @{bin}/who rix,
-  @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/ w,
+  @{lib}/@{python_name}/**/__pycache__/ w,
-  @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc w,
-  @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc.@{u64} w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w,
  /var/log/landscape/{,**} rw,
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@ -13,6 +13,7 @@ profile libreoffice @{exec_path} {
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -109,7 +110,6 @@ profile libreoffice @{exec_path} {
        @{sys}/kernel/mm/hugepages/ r,
        @{sys}/kernel/mm/transparent_hugepage/enabled r,
        @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
        @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,
--- a/apparmor.d/profiles-m-r/needrestart-notify
+++ b/apparmor.d/profiles-m-r/needrestart-notify
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{etc_ro}/needrestart/notify.d/*
 profile needrestart-notify @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
  capability sys_ptrace,
@ -27,7 +28,6 @@ profile needrestart-notify @{exec_path} {
  /etc/needrestart/notify.conf r,
  @{PROC}/@{pid}/environ r,
  @{PROC}/filesystems r,
  include if exists <local/needrestart-notify>
 }
--- a/apparmor.d/profiles-m-r/pycompile
+++ b/apparmor.d/profiles-m-r/pycompile
@ -21,12 +21,9 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/dpkg rCx -> dpkg,
-  @{lib}/@{python_name}/dist-packages/__pycache__/ w,
+  @{lib}/@{python_name}/**/__pycache__/ w,
-  @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w,
+  @{lib}/@{python_name}/**/__pycache__/*.pyc w,
-  @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w,
+  @{lib}/@{python_name}/**/__pycache__/*.pyc.* w,
  @{lib}/@{python_name}/dist-packages/**/__pycache__/ w,
  @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w,
  @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w,
  /usr/share/python3/{,**} r,
--- a/apparmor.d/profiles-m-r/rsyslogd
+++ b/apparmor.d/profiles-m-r/rsyslogd
@ -12,11 +12,12 @@ profile rsyslogd @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  capability chown,  # For creating new log files and changing their owner/group
+  capability dac_override,
-  capability net_admin,  # For remote logs
+  capability dac_read_search,
-  capability setgid,  # For downgrading privileges
+  capability setgid,
  capability setuid,
  capability sys_nice,
  capability sys_tty_config,
  capability syslog,
  network inet dgram,
--- a/apparmor.d/profiles-s-z/update-initramfs
+++ b/apparmor.d/profiles-s-z/update-initramfs
@ -28,12 +28,15 @@ profile update-initramfs @{exec_path} {
  @{bin}/sha1sum       rix,
  @{bin}/sync          rix,
  @{bin}/uname         rix,
  @{bin}/run-parts     rix,
  @{bin}/dpkg-trigger  rPx,
  @{bin}/ischroot      rPx,
  @{bin}/linux-version rPx,
  @{sbin}/mkinitramfs  rPx,
  /etc/initramfs/post-update.d/* rPUx,
  /var/lib/initramfs-tools/* w,
  # For shell pwd
--- a/apparmor.d/profiles-s-z/whiptail
+++ b/apparmor.d/profiles-s-z/whiptail
@ -18,6 +18,8 @@ profile whiptail @{exec_path} {
  /usr/share/terminfo/** r,
  /etc/newt/palette.* r,
  include if exists <local/whiptail>
 }