felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reorganise the directories.

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-01 17:02:49 +01:00
parent 91b15fcc73
commit 091d20d086
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
715 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

177
apparmor.d/groups/apt/apt Normal file
View file

@ -0,0 +1,177 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt
profile apt @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
audit deny capability net_admin,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For editing the sources.list file
/etc/apt/sources.list rwk,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
profile editor flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
owner @{HOME}/.selected_editor r,
/usr/share/vim/{,**} r,
/etc/vim/{,**} r,
owner @{HOME}/.viminfo{,.tmp} rw,
owner @{HOME}/.fzf/plugin/ r,
owner @{HOME}/.fzf/plugin/fzf.vim r,
/etc/apt/sources.list rw,
}
profile dpkg-source flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/etc/dpkg/origins/debian r,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
owner @{HOME}/** rwkl -> @{HOME}/**,
audit deny owner @{HOME}/.* mrwkl,
audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl,
}
include if exists <local/apt>
}

31
apparmor.d/groups/apt/apt-cache Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache
profile apt-cache @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
include if exists <local/apt-cache>
}

87
apparmor.d/groups/apt/apt-cdrom Normal file
View file

@ -0,0 +1,87 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
capability dac_read_search,
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/mount rCx -> mount,
/{usr/,}bin/umount rCx -> umount,
# Are all of these needed? (#FIXME#)
@{sys}/bus/ r,
@{sys}/bus/*/devices/ r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/devices/**/uevent r,
@{run}/udev/data/* r,
/etc/fstab r,
# For cd-roms
/media/cdrom[0-9]/ r,
/media/cdrom[0-9]/**/ r,
/media/cdrom[0-9]/.disk/info r,
/media/cdrom[0-9]/dists/**/binary-*/Packages{,.gz} r,
/media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
# For pendrives
/media/*/*/ r,
/media/*/*/**/ r,
/media/*/*/.disk/info r,
/media/*/*/dists/**/binary-*/Packages{,.gz} r,
/media/*/*/dists/**/i18n/Translation-en{,.gz} r,
/var/lib/apt/lists/** rw,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/apt/cdroms.list{,.new} rw,
/var/lib/apt/cdroms.list~ w,
/etc/apt/sources.list{,.new} rw,
/etc/apt/sources.list~ w,
profile mount flags=(complain) {
include <abstractions/base>
/{usr/,}bin/mount mr,
/etc/fstab r,
/media/cdrom[0-9]/ r,
}
profile umount flags=(complain) {
include <abstractions/base>
capability sys_admin,
/{usr/,}bin/umount mr,
@{run}/mount/utab{,.*} rw,
@{run}/mount/utab.lock rwk,
owner @{PROC}/@{pid}/mountinfo r,
umount /media/*/,
umount /media/*/*/,
}
include if exists <local/apt-cdrom>
}

22
apparmor.d/groups/apt/apt-config Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config
profile apt-config @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-config>
}

32
apparmor.d/groups/apt/apt-extracttemplates Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-extracttemplates
profile apt-extracttemplates @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx -> child-dpkg,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner /tmp/*.{config,template}.?????? rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
include if exists <local/apt-extracttemplates>
}

37
apparmor.d/groups/apt/apt-file Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-file
profile apt-file @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/fgrep rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/xargs rix,
/{usr/,}lib/apt/apt-helper rix,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/apt rPx,
/etc/apt/apt-file.conf r,
owner @{PROC}/@{pid}/fd/ r,
# For shell pwd
/root/ r,
# file_inherit
/var/log/cron-apt/temp w,
include if exists <local/apt-file>
}

24
apparmor.d/groups/apt/apt-ftparchive Normal file
View file

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-ftparchive
profile apt-ftparchive @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
include if exists <local/apt-ftparchive>
}

183
apparmor.d/groups/apt/apt-get Normal file
View file

@ -0,0 +1,183 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/apt-get
profile apt-get @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
audit deny capability net_admin,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}bin/dpkg-source rcx -> dpkg-source,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For building the source after the download process is finished (apt-get source --compile)
# (#FIXME#)
/{usr/,}bin/dpkg-buildpackage rPUx,
# For changelogs
/tmp/apt-changelog-*/ w,
owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
/tmp/apt-changelog-*/*.changelog w,
/{usr/,}bin/sensible-pager rCx -> pager,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt-tmp-index.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /var/log/cron-apt/temp w,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
capability dac_read_search,
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
owner /tmp/apt-changelog-*/ r,
owner /tmp/apt-changelog-*/*.changelog r,
# For shell pwd
/root/ r,
}
profile dpkg-source flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/perl>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/patch rix,
/etc/dpkg/origins/debian r,
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
owner @{HOME}/** rwkl -> @{HOME}/**,
audit deny owner @{HOME}/.* mrwkl,
audit deny owner @{HOME}/.*/ rw,
audit deny owner @{HOME}/.*/** mrwkl,
}
include if exists <local/apt-get>
}

103
apparmor.d/groups/apt/apt-key Normal file
View file

@ -0,0 +1,103 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-key
profile apt-key @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/find rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/comm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/id rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpg rCx -> gpg,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
#
/{usr/,}bin/apt-config rPx,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/{,**} rw,
profile gpg {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ssl_certs>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/dirmngr rix,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix,
/etc/apt/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg{,~,.tmp} rw,
/etc/apt/trusted.gpg.lock rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg.d/ r,
/etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid} rw,
/etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid},
/etc/apt/trusted.gpg.d/*.gpg r,
/etc/apt/trusted.gpg.d/*.gpg.lock rwl -> /etc/apt/trusted.gpg.d/.#lk0x[a-f0-9]*.@{pid},
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
/etc/inputrc r,
# File_inherit
owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
}
include if exists <local/apt-key>
}

58
apparmor.d/groups/apt/apt-listbugs Normal file
View file

@ -0,0 +1,58 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listbugs
profile apt-listbugs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
#capability sys_tty_config,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logname rix,
/{usr/,}bin/apt-config rPx,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/* r,
/etc/apt/listbugs/{,*} r,
@{PROC}/@{pid}/loginuid r,
# The following is needed when apt-listbugs uses debcconf GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
include if exists <local/apt-listbugs>
}

19
apparmor.d/groups/apt/apt-listbugs-aptcleanup Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
include if exists <local/apt-listbugs-aptcleanup>
}

28
apparmor.d/groups/apt/apt-listbugs-migratepins Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/* r,
/etc/apt/preferences r,
owner /tmp/pin_migration_*-@{pid}-*/ w,
owner /tmp/pin_migration_*-@{pid}-*/preferences w,
owner /tmp/pin_migration_*-@{pid}-*/apt-listbugs w,
include if exists <local/apt-listbugs-migratepins>
}

29
apparmor.d/groups/apt/apt-listbugs-prefclean Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/prefclean
profile apt-listbugs-prefclean @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/ r,
owner /var/spool/apt-listbugs/lastprefclean rw,
include if exists <local/apt-listbugs-prefclean>
}

101
apparmor.d/groups/apt/apt-listchanges Normal file
View file

@ -0,0 +1,101 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-listchanges
profile apt-listchanges @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/python>
include <abstractions/nameservice-strict>
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx,
#
/{usr/,}bin/sensible-pager rCx -> pager,
# Send results using email
/{usr/,}sbin/exim4 rPx,
/usr/share/apt-listchanges/{,**} r,
/etc/apt/listchanges.conf r,
/etc/apt/listchanges.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/status r,
/var/lib/apt/listchanges{,-new}.db rw,
/var/lib/apt/listchanges-old.db rwl -> /var/lib/apt/listchanges.db,
/var/cache/apt/archives/ r,
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/* rw,
owner /tmp/apt-listchanges*/ rw,
owner /tmp/apt-listchanges*/**/ rw,
owner /tmp/apt-listchanges*/*/*/*/*/changelog.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog.gz rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw,
owner /tmp/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw,
# The following is needed when apt-listchanges uses debcconf GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
#capability sys_tty_config,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/ r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
# For shell pwd
/root/ r,
/tmp/ r,
owner /tmp/apt-listchanges-tmp*.txt r,
}
include if exists <local/apt-listchanges>
}

26
apparmor.d/groups/apt/apt-mark Normal file
View file

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-mark
profile apt-mark @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx,
/var/lib/apt/extended_states{,.*} rw,
owner @{PROC}/@{pid}/fd/ r,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
include if exists <local/apt-mark>
}

46
apparmor.d/groups/apt/apt-methods-cdrom Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/cdrom
profile apt-methods-cdrom @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-cdrom>
}

57
apparmor.d/groups/apt/apt-methods-copy Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/copy
profile apt-methods-copy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-copy>
}

57
apparmor.d/groups/apt/apt-methods-file Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/file
profile apt-methods-file @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-file>
}

46
apparmor.d/groups/apt/apt-methods-ftp Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/ftp
profile apt-methods-ftp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-ftp>
}

89
apparmor.d/groups/apt/apt-methods-gpgv Normal file
View file

@ -0,0 +1,89 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/gpgv
profile apt-methods-gpgv @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# The following get "no new privs" so "rix" them
/{usr/,}bin/apt-key rix,
/{usr/,}bin/apt-config rix,
/{usr/,}bin/dpkg rix,
/{usr/,}bin/gpg-connect-agent rix,
/{usr/,}bin/gpgconf rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gpgv rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/touch rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/etc/apt/trusted.gpg.d/{,*.gpg} r,
/etc/apt/trusted.gpg r,
/tmp/ r,
owner /tmp/apt-key-gpghome.*/ rw,
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt.{conf,sig,data}.* rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/dpkg/arch r,
@{PROC}/@{pid}/fd/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-gpgv>
}

77
apparmor.d/groups/apt/apt-methods-http Normal file
View file

@ -0,0 +1,77 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/http{,s}
profile apt-methods-http @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/auth.conf.d/{,*} r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For the aptitude interactive mode
/tmp/ r,
owner /tmp/aptitude-root.*/aptitude-download-* rw,
owner /tmp/apt-changelog-*/*.changelog rw,
@{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-http>
}

46
apparmor.d/groups/apt/apt-methods-mirror Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
profile apt-methods-mirror @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-mirror>
}

57
apparmor.d/groups/apt/apt-methods-rred Normal file
View file

@ -0,0 +1,57 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/rred
profile apt-methods-rred @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
/var/log/cron-apt/temp w,
include if exists <local/apt-methods-rred>
}

46
apparmor.d/groups/apt/apt-methods-rsh Normal file
View file

@ -0,0 +1,46 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
profile apt-methods-rsh @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/apt-methods-rsh>
}

62
apparmor.d/groups/apt/apt-methods-store Normal file
View file

@ -0,0 +1,62 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}lib/apt/methods/store
profile apt-methods-store @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
# For shell pwd
/ r,
/etc/ r,
/root/ r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/doc/*/changelog.* r,
/tmp/ r,
owner /tmp/apt-changelog-*/*.changelog{,.*} rw,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
include if exists <local/apt-methods-store>
}

37
apparmor.d/groups/apt/apt-show-versions Normal file
View file

@ -0,0 +1,37 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-show-versions
profile apt-show-versions @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/apt-common>
@{exec_path} r,
/{usr/,}bin/perl r,
/usr/bin/dpkg rPx -> child-dpkg,
owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
owner /var/cache/apt-show-versions/files rw,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
include if exists <local/apt-show-versions>
}

22
apparmor.d/groups/apt/apt-sortpkgs Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-sortpkgs
profile apt-sortpkgs @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
include if exists <local/apt-sortpkgs>
}

67
apparmor.d/groups/apt/apt-systemd-daily Normal file
View file

@ -0,0 +1,67 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/apt/apt.systemd.daily
profile apt-systemd-daily @{exec_path} {
include <abstractions/base>
# Needed to remove the following error:
# apt.systemd.daily[]: find: /var/cache/apt/archives/partial: Permission denied
capability dac_read_search,
@{exec_path} mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/savelog rix,
/{usr/,}bin/which rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/date rix,
/{usr/,}bin/find rix,
/{usr/,}bin/du rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/uniq rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/apt-get rPx,
/etc/default/locale r,
# The /daily_lock file is only used when the /var/lib/apt/daily_lock can be accessed.
#/daily_lock w,
/var/lib/apt/daily_lock wk,
/var/lib/apt/extended_states r,
/var/lib/apt/periodic/autoclean-stamp w,
/var/backups/ r,
/var/backups/apt.extended_states rw,
/var/backups/apt.extended_states.[0-9]* rw,
/var/backups/apt.extended_states.[0-9]*.gz w,
/var/cache/apt/ r,
/var/cache/apt/archives/ r,
/var/cache/apt/archives/partial/ r,
/var/cache/apt/archives/*.deb rw,
/var/cache/apt/backup/ r,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/apt-systemd-daily>
}

193
apparmor.d/groups/apt/aptitude Normal file
View file

@ -0,0 +1,193 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/aptitude{,-curses}
profile aptitude @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/apt-common>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
# dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
# used by APT to download packages, package list, and other things using APT methods as an
# unprivileged user/group (_apt/nogroup).
#
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
capability sys_chroot,
audit deny capability net_admin,
#capability sys_tty_config,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
/var/log/aptitude w,
# For downloading the source of packages (showsrc/source options)
/{usr/,}bin/apt rPx,
# For changelogs
owner /tmp/aptitude-*.@{pid}:*/cache{ContentCompressed,Extracted}* rw,
owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw,
owner /tmp/aptitude-*.@{pid}:*/parsedchangelog* w,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/aptitude/ rw,
owner @{HOME}/.cache/aptitude/metadata-download{,-journal} rw,
owner @{HOME}/.cache/aptitude/metadata-download rwk,
/{usr/,}bin/sensible-pager rCx -> pager,
# For aptitude-run-state-bundle
owner /tmp/aptitudebug.*/ r,
owner /tmp/aptitudebug.*/** rwk,
/var/lib/apt-xapian-index/index r,
/var/cache/apt-xapian-index/index.[0-9]/*.glass r,
/var/cache/apt-xapian-index/index.[0-9]/iamglass r,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
owner @{PROC}/@{pid}/fd/ r,
/tmp/ r,
owner /tmp/aptitude-*.@{pid}:*/ rw,
owner /tmp/aptitude-*.@{pid}:*/{pkgstates,control}* rw,
/tmp/aptitude-*.@{pid}:*/pkgstates* r,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
# For the interactive mode
/usr/share/tasksel/descs/ r,
/usr/share/tasksel/descs/debian-tasks.desc r,
owner @{HOME}/.aptitude/ rw,
owner @{HOME}/.aptitude/config rw,
owner @{HOME}/.aptitude/config@{pid} rw,
/tmp/apt-changelog-*/ rw,
/var/lib/debtags/vocabulary r,
/{usr/,}bin/su rPx,
@{run}/lock/aptitude rwk,
/usr/share/aptitude/ r,
/usr/share/aptitude/* r,
/var/lib/aptitude/pkgstates{,.old,.new} rw,
/var/lib/aptitude/pkgstates.old rwl -> /var/lib/aptitude/pkgstates,
/var/lib/debtags/package-tags r,
# When run in a TTY, to remove the following error:
# aptitude[]: *** err
# aptitude[]: /dev/tty2: Permission denied
# aptitude[]: *** err
# aptitude[]: Oh, oh, it's an error! possibly I die!
/dev/tty[0-9]* rw,
/dev/ptmx rw,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
/var/log/cron-apt/temp w,
profile pager {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/sensible-pager mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/less rix,
owner @{HOME}/.less* rw,
owner /tmp/aptitude-*.@{pid}:*/aptitude-download-* rw,
# For shell pwd
/root/ r,
}
include if exists <local/aptitude>
}

22
apparmor.d/groups/apt/aptitude-changelog-parser Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-changelog-parser
profile aptitude-changelog-parser @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
/**/debian/changelog r,
include if exists <local/aptitude-changelog-parser>
}

33
apparmor.d/groups/apt/aptitude-create-state-bundle Normal file
View file

@ -0,0 +1,33 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-create-state-bundle
profile aptitude-create-state-bundle @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix,
# Files included in the bundle
owner @{HOME}/.aptitude/{,*} r,
/var/lib/aptitude/{,*} r,
/var/lib/apt/{,**} r,
/var/cache/apt/ r,
/var/cache/apt/*.bin r,
/etc/apt/{,**} r,
/var/lib/dpkg/status r,
include if exists <local/aptitude-create-state-bundle>
}

29
apparmor.d/groups/apt/aptitude-run-state-bundle Normal file
View file

@ -0,0 +1,29 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-run-state-bundle
profile aptitude-run-state-bundle @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/user-download-strict>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/aptitude-curses rPx,
owner /tmp/aptitudebug.*/{,**} rw,
include if exists <local/aptitude-run-state-bundle>
}

39
apparmor.d/groups/apt/child-dpkg Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> child-dpkg" exec transitions from
# other profiles. We want to confine the dpkg(1) utility when it
# is invoked from other confined applications, but not when it is used
# in regular (unconfined) shell scripts or run directly by the user.
abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/dpkg by default
profile child-dpkg {
include <abstractions/base>
include <abstractions/consoles>
# Needed?
deny capability setgid,
/{usr/,}bin/dpkg mr,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
/var/lib/dpkg/** r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
include if exists <local/child-dpkg>
}

32
apparmor.d/groups/apt/child-dpkg-divert Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> child-dpkg-divert" exec transitions
# from other profiles. We want to confine the dpkg-divert(1) utility when
# it is invoked from other confined applications, but not when it is used
# in regular (unconfined) shell scripts or run directly by the user.
abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/dpkg-divert by default
profile child-dpkg-divert {
include <abstractions/base>
/{usr/,}bin/dpkg-divert mr,
/var/lib/dpkg/arch r,
/var/lib/dpkg/status r,
/var/lib/dpkg/updates/ r,
/var/lib/dpkg/triggers/File r,
/var/lib/dpkg/triggers/Unincorp r,
/var/lib/dpkg/diversions r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
include if exists <local/child-dpkg-divert>
}

51
apparmor.d/groups/apt/debconf-apt-progress Normal file
View file

@ -0,0 +1,51 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/debconf-apt-progress
profile debconf-apt-progress @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/apt-get rPx,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
profile frontend flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
/{usr/,}bin/debconf-apt-progress rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/locale rix,
# The following is needed when debconf uses dialog/whiptail frontend.
/{usr/,}bin/whiptail rPx,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r,
/etc/shadow r,
}
include if exists <local/debconf-apt-progress>
}

150
apparmor.d/groups/apt/dpkg Normal file
View file

@ -0,0 +1,150 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg
profile dpkg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
# To set proper ownership/permissions of installed files.
capability chown,
capability fowner,
capability fsetid,
# These are needed because dpkg wants to read/write files from/to directories owned by different
# users than root, for instance files in the /usr/share/polkit-1/ dir , which is owned by the
# "polkitd" user with the "drwx------" permissions.
capability dac_read_search,
capability dac_override,
# Needed? (##FIXME##)
capability setgid,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/dpkg-deb rpx,
#
/{usr/,}bin/dpkg-split rPx,
/usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/pager rCx -> diff,
/{usr/,}bin/less rCx -> diff,
/{usr/,}bin/more rCx -> diff,
/{usr/,}bin/diff rCx -> diff,
# Run the package maintainer's scripts
# What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
# Move it to a child profile once more transitions will be available
/var/lib/dpkg/ r,
/var/lib/dpkg/** rwkl -> /var/lib/dpkg/**,
/var/lib/dpkg/info/*.{config,templates} rPUx,
/var/lib/dpkg/info/*.{preinst,postinst} rPUx,
/var/lib/dpkg/info/*.{prerm,postrm} rPUx,
/var/lib/dpkg/info/*.control r,
/var/lib/dpkg/tmp.ci/{config,templates} rPUx,
/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx,
/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx,
/var/lib/dpkg/tmp.ci/control r,
#/var/lib/dpkg/info/*.{config,templates} rCx -> scripts,
#/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts,
#/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts,
#/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts,
#/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
#/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
owner @{PROC}/@{pid}/fd/ r,
owner /tmp/apt-dpkg-install-*/ r,
/var/log/dpkg.log w,
# For shell pwd
/root/ r,
# Basically, dpkg needs R/W permissions to the following files since it installs them.
# It also needs the L permission when a package is reinstalled.
/ r,
/usr/ r,
/usr/** rwl -> /usr/**,
/lib/ r,
/lib/** rwl -> /lib/** ,
/bin/ r,
/bin/* rwl -> /bin/*,
/sbin/ r,
/sbin/* rwl -> /sbin/*,
/etc/ r,
/etc/** rwl -> /etc/**,
/boot/ r,
/boot/** rwl -> /boot/**,
/opt/ r,
/opt/** rwl -> /opt/**,
# Without backups/, cache/, log/, mail/, opt/, tmp/ .
/var/lib/ r,
/var/lib/** rwl -> /var/lib/**,
/var/local/ r,
/var/local/** rwl -> /var/local/**,
/var/spool/ r,
/var/spool/** rwl -> /var/spool/**,
# To create log and cache dirs
/var/log/**/ rw,
/var/cache/**/ rw,
# file_inherit
owner /dev/tty[0-9]* rw,
profile diff {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/ r,
/{usr/,}bin/pager mr,
/{usr/,}bin/less mr,
/{usr/,}bin/more mr,
/{usr/,}bin/diff mr,
owner @{HOME}/.lesshs* rw,
# Diff changed config files
/etc/** r,
# For shell pwd
/root/ r,
}
profile scripts {
include <abstractions/base>
/var/lib/dpkg/info/*.config r,
/var/lib/dpkg/info/*.{preinst,postinst} r,
/var/lib/dpkg/info/*.{prerm,postrm} r,
/var/lib/dpkg/tmp.ci/config r,
/var/lib/dpkg/tmp.ci/{preinst,postinst} r,
/var/lib/dpkg/tmp.ci/{prerm,postrm} r,
/{usr/,}bin/ r,
/{usr/,}bin/* rPUx,
/{usr/,}sbin/ r,
/{usr/,}sbin/* rPUx,
}
include if exists <local/dpkg>
}

40
apparmor.d/groups/apt/dpkg-architecture Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-architecture
profile dpkg-architecture @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/usr/bin/perl r,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/usr/share/dpkg/** r,
# file_inherit
owner /tmp/* rw,
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/media/ccache/*/** rw,
}
include if exists <local/dpkg-architecture>
}

25
apparmor.d/groups/apt/dpkg-buildflags Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-buildflags
profile dpkg-buildflags @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner @{HOME}/.config/dpkg/buildflags.conf r,
include if exists <local/dpkg-buildflags>
}

30
apparmor.d/groups/apt/dpkg-checkbuilddeps Normal file
View file

@ -0,0 +1,30 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-checkbuilddeps
profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
/var/lib/dpkg/status r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
# For package building
owner @{BUILD_DIR}/**/debian/control r,
include if exists <local/dpkg-checkbuilddeps>
}

42
apparmor.d/groups/apt/dpkg-deb Normal file
View file

@ -0,0 +1,42 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-deb
profile dpkg-deb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
#capability sys_tty_config,
@{exec_path} mr,
/{usr/,}bin/tar rix,
/{usr/,}bin/rm rix,
owner /var/lib/dpkg/tmp.ci/ w,
owner /var/lib/dpkg/tmp.ci/* w,
# For creating deb packages
owner /tmp/dpkg-deb.* rw,
owner /tmp/dpkg-deb.*/ rw,
owner /tmp/dpkg-deb.*/* rw,
# For extracting deb packages to /tmp/
owner /tmp/** rw,
/var/cache/apt/archives/*.deb r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
include if exists <local/dpkg-deb>
}

25
apparmor.d/groups/apt/dpkg-divert Normal file
View file

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-divert
profile dpkg-divert @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/var/lib/dpkg/** r,
/usr/share/*/**.dpkg-divert.tmp w,
/var/lib/dpkg/diversions rw,
/var/lib/dpkg/diversions-new rw,
/var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
include if exists <local/dpkg-divert>
}

39
apparmor.d/groups/apt/dpkg-genbuildinfo Normal file
View file

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-genbuildinfo
profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
# For package building
owner @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
/var/lib/dpkg/status r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner @{HOME}/.config/dpkg/buildflags.conf r,
/usr/local/bin/ r,
/usr/local/sbin/ r,
/usr/local/lib/ r,
/usr/local/lib/**/ r,
/usr/local/include/ r,
/usr/local/etc/ r,
include if exists <local/dpkg-genbuildinfo>
}

28
apparmor.d/groups/apt/dpkg-genchanges Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-genchanges
profile dpkg-genchanges @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
# For package building
owner @{BUILD_DIR}/** r,
include if exists <local/dpkg-genchanges>
}

53
apparmor.d/groups/apt/dpkg-preconfigure Normal file
View file

@ -0,0 +1,53 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/dpkg-preconfigure
profile dpkg-preconfigure @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
#capability sys_tty_config,
@{exec_path} r,
/{usr/,}bin/perl r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/locale rix,
/{usr/,}bin/stty rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/apt-extracttemplates rPx,
/{usr/,}bin/whiptail rPx,
/etc/shadow r,
/etc/inputrc r,
/etc/debconf.conf r,
owner /tmp/*.template.* rw,
owner /tmp/*.config.* rwPUx,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
# The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/dpkg-preconfigure>
}

28
apparmor.d/groups/apt/dpkg-query Normal file
View file

@ -0,0 +1,28 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-query
profile dpkg-query @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/var/lib/dpkg/** r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
include if exists <local/dpkg-query>
}

32
apparmor.d/groups/apt/dpkg-split Normal file
View file

@ -0,0 +1,32 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{BUILD_DIR} = /media/debuilder/
@{exec_path} = /{usr/,}bin/dpkg-split
profile dpkg-split @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
# Do not strip env to avoid errors like the following:
# ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
# shared object file): ignored.
/{usr/,}bin/dpkg-deb rpx,
/var/lib/dpkg/parts/ r,
/var/lib/dpkg/parts/* r,
/var/cache/apt/archives/*.deb r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
include if exists <local/dpkg-split>
}

22
apparmor.d/groups/apt/dpkg-trigger Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-trigger
profile dpkg-trigger @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/var/lib/dpkg/triggers/Lock rwk,
/var/lib/dpkg/triggers/ r,
/var/lib/dpkg/triggers/Unincorp{,.new} rw,
include if exists <local/dpkg-trigger>
}

20
apparmor.d/groups/apt/dpkg-vendor Normal file
View file

@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-vendor
profile dpkg-vendor @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} r,
/usr/bin/perl r,
/etc/dpkg/origins/* r,
include if exists <local/dpkg-vendor>
}

182
apparmor.d/groups/apt/synaptic Normal file
View file

@ -0,0 +1,182 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@{BUILD_DIR} = /media/debuilder/
include <tunables/global>
@{exec_path} = /{usr/,}sbin/synaptic /{usr/,}bin/synaptic-pkexec
profile synaptic @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
include <abstractions/deny-dconf>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
deny capability net_admin,
deny capability sys_nice,
signal (send) peer=apt-methods-*,
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/test rix,
/{usr/,}bin/{,e}grep rix,
# For update-apt-xapian-index
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
# When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two
# following root processes:
# dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
# /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
#
# Should this be allowed? Synaptic works fine without this.
#/{usr/,}bin/dbus-launch rCx -> dbus,
#/{usr/,}bin/dbus-send rCx -> dbus,
deny /{usr/,}bin/dbus-launch rx,
deny /{usr/,}bin/dbus-send rx,
/{usr/,}bin/ps rPx,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/apt-listbugs rPx,
/{usr/,}bin/apt-listchanges rPx,
/{usr/,}bin/apt-show-versions rPx,
/{usr/,}sbin/dpkg-preconfigure rPx,
/{usr/,}bin/debtags rPx,
/{usr/,}sbin/localepurge rPx,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/adequate rPx,
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}sbin/update-apt-xapian-index rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/deborphan rPx,
/{usr/,}bin/tasksel rPx,
/{usr/,}bin/pkexec rPx,
# Methods to use to download packages from the net
/{usr/,}lib/apt/methods/* rPx,
/var/lib/apt/lists/** rw,
/var/lib/apt/lists/lock rwk,
/var/lib/apt/extended_states{,.*} rw,
/etc/apt/apt.conf.d/99synaptic rw,
/var/log/apt/eipp.log.xz w,
/var/log/apt/{term,history}.log w,
# For editing the sources.list file
/etc/apt/sources.list.d/ r,
/etc/apt/sources.list.d/*.list rw,
/etc/apt/sources.list rwk,
/var/lib/apt-xapian-index/index r,
/var/cache/apt-xapian-index/index.[0-9]/*.glass r,
/var/cache/apt-xapian-index/index.[0-9]/iamglass r,
/var/lib/dpkg/** r,
/var/lib/dpkg/lock{,-frontend} rwk,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/tmp/ r,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
/usr/share/synaptic/{,**} r,
owner @{HOME}/.synaptic/ rw,
owner @{HOME}/.synaptic/** rwk,
@{run}/synaptic.socket w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
# To remove the following error:
# Internal Error: impossible to fork children. Synaptics is going to stop. Please report.
# errorcode: 2
/dev/ptmx rw,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/etc/fstab r,
# Synaptic is a GUI app started by root, so without "owner"
@{HOME}/.Xauthority r,
# For package building
@{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,
# file_inherit
owner /dev/tty[0-9]* rw,
profile dbus {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/dbus-launch mr,
/{usr/,}bin/dbus-send mr,
/{usr/,}bin/dbus-daemon rPUx,
# for dbus-launch
owner @{HOME}/.dbus/session-bus/[0-9a-f]*-[0-9] w,
@{HOME}/.Xauthority r,
}
include if exists <local/synaptic>
}

44
apparmor.d/groups/apt/update-apt-xapian-index Normal file
View file

@ -0,0 +1,44 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/update-apt-xapian-index
profile update-apt-xapian-index @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/python>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}sbin/ r,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/usr/share/apt-xapian-index/{,**} r,
/var/cache/apt-xapian-index/ rw,
/var/cache/apt-xapian-index/** rwk,
/var/lib/apt-xapian-index/ rw,
/var/lib/apt-xapian-index/* rwk,
/var/cache/apt/ r,
/var/cache/apt/** rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/debtags/package-tags r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# file_inherit
owner /dev/tty[0-9]* rw,
include if exists <local/update-apt-xapian-index>
}

40
apparmor.d/groups/apt/usr.sbin.apt-cacher-ng Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) Felix Geyer <debfx@ubuntu.com>
# SPDX-License-Identifier: GPL-2.0-only
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
#include <tunables/global>
profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/user-tmp>
/etc/apt-cacher-ng/ r,
/etc/apt-cacher-ng/** r,
/etc/hosts.{deny,allow} r,
/usr/sbin/apt-cacher-ng mr,
/var/lib/apt-cacher-ng/** r,
/{,var/}run/apt-cacher-ng/* rw,
@{APT_CACHER_NG_CACHE_DIR}/ r,
@{APT_CACHER_NG_CACHE_DIR}/** rw,
/var/log/apt-cacher-ng/ r,
/var/log/apt-cacher-ng/* rw,
/{,var/}run/systemd/notify w,
/{usr/,}bin/dash ixr,
/{usr/,}bin/ed ixr,
/{usr/,}bin/red ixr,
/{usr/,}bin/sed ixr,
/usr/lib/apt-cacher-ng/acngtool ixr,
# used by libevent
@{PROC}/sys/kernel/random/uuid r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.apt-cacher-ng>
}