General update

apparmor.d/groups/apt/apt-methods-gpgv

@@ -82,6 +82,8 @@ profile apt-methods-gpgv @{exec_path} {
   # Local keyring storage
   /etc/apt/keyrings/ r,
   /etc/apt/keyrings/*.{gpg,asc} r,
+  /usr/share/keyrings/ r,
+  /usr/share/keyrings/*.{gpg,asc} r,
 
   # Extrepo keyring storage
   /var/lib/extrepo/keys/*.{gpg,asc} r,

apparmor.d/groups/apt/dpkg

@@ -76,6 +76,7 @@ profile dpkg @{exec_path} {
   owner /tmp/apt-dpkg-install-*/ r,
 
   /var/log/dpkg.log w,
+  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
   @{run}/systemd/userdb/ r,
 

apparmor.d/groups/apt/unattended-upgrade

@@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged},
+       member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved},
 
   @{exec_path} mr,
 
@@ -80,6 +80,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
+  /etc/debian_version r,
+  /etc/dpkg/origins/{debian,ubuntu,} r,
+  /etc/issue{.net,} r,
+  /etc/legal r,
+  /etc/lsb-release r,
+  /etc/profile.d/* r,
+  /etc/update-motd.d/* r,
   /etc/update-manager/{,**} r,
   /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
 

apparmor.d/groups/freedesktop/fc-cache

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -20,6 +21,8 @@ profile fc-cache @{exec_path} {
   /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
   /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
 
+  /var/tmp/mkinitramfs_*/{**,} rwl,
+
   # Silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/groups/freedesktop/pulseaudio

@@ -127,6 +127,13 @@ profile pulseaudio @{exec_path} {
      member=Get
      peer=(name=/org/freedesktop/hostname[0-9]),
 
+  dbus (send)
+     bus=system
+     path=/org.freedesktop.hostname[0-9]
+     interface=org.freedesktop.DBus.Prope
+     member=Get
+     peer=(name=/org/freedesktop/hostname[0-9]),
+
   @{exec_path} mrix,
 
   /{usr/,}@{libexec}/pulse/gsettings-helper mrix,

apparmor.d/groups/gpg/gpg

@@ -14,6 +14,8 @@ profile gpg @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+
   network netlink raw,
 
   @{exec_path} mrix,

apparmor.d/groups/gpg/gpgconf

@@ -12,6 +12,8 @@ profile gpgconf @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/gpg-connect-agent rPx,

apparmor.d/groups/gpg/gpgsm

@@ -11,6 +11,8 @@ profile gpgsm @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   deny /usr/bin/.gnupg/ w,

apparmor.d/groups/grub/grub-editenv

@@ -13,6 +13,8 @@ profile grub-editenv @{exec_path} flags=(complain) {
 
   @{exec_path} rm,
 
+  /boot/grub/grubenv rw,
+
   include if exists <local/grub-editenv>
 }
 

apparmor.d/groups/network/ModemManager

@@ -31,6 +31,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects,
 
+  dbus receive bus=system path=/org/freedesktop/ModemManager[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
   dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.PolicyKit[0-9].Authority
        member=Changed,

apparmor.d/groups/pacman/mkinitcpio

@@ -27,7 +27,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/cp                  rix,
   /{usr/,}bin/dd                  rix,
   /{usr/,}bin/find                rix,
-  /{usr/,}bin/findmnt             rix,
+  /{usr/,}bin/findmnt             rPx,
   /{usr/,}bin/fsck                rix,
   /{usr/,}bin/gawk                rix,
   /{usr/,}bin/grep                rix,

apparmor.d/groups/systemd/child-systemctl

@@ -35,6 +35,8 @@ profile child-systemctl flags=(attach_disconnected) {
 
   /etc/systemd/user/{,**} rwl,
 
+  @{run}/systemd/private rw,
+
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/1/environ r,

apparmor.d/groups/systemd/systemd-analyze

@@ -11,11 +11,24 @@ include <tunables/global>
 profile systemd-analyze @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
   capability sys_resource,
   capability net_admin,
 
+  dbus send bus=system path=/org/freedesktop/systemd1
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/systemd1
+      interface=org.freedesktop.systemd1.Manager
+      member=ListUnits,
+
+  dbus send bus=system path=/org/freedesktop/systemd1/unit/*
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+
   signal (send) peer=child-pager,
 
   network inet dgram,
@@ -38,7 +51,10 @@ profile systemd-analyze @{exec_path} {
 
   owner /tmp/systemd-temporary-*/ rw,
 
+  @{run}/systemd/generator/ r,
+  @{run}/systemd/private rw,
   @{run}/systemd/system/ r,
+  @{run}/systemd/transient/ r,
   @{run}/systemd/userdb/io.systemd.DynamicUser w,
   @{run}/udev/data/* r,
   @{run}/udev/tags/systemd/ r,

apparmor.d/groups/ubuntu/update-grub

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
 profile update-grub @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} rm,
   /{usr/,}bin/{,ba,da}sh rix,

apparmor.d/groups/virt/containerd

@@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   capability dac_override,
   capability fsetid,
   capability fowner,
+  capability mknod,
   capability net_admin,
+  capability setfcap,
   capability sys_admin,
 
   network inet dgram,

apparmor.d/groups/virt/k3s

@@ -27,7 +27,7 @@ profile k3s @{exec_path} {
   capability sys_resource,
 
   ptrace peer=@{profile_name},
-  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
+  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
 
   # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
   # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.