From 0cbcbb29a4cc8b2f281c153e06adb18085735405 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 13 Jun 2022 21:42:25 +0100 Subject: [PATCH] feat(profiles): improve/update apt related profiles. --- apparmor.d/groups/apt/apt | 127 ++++++++++----------- apparmor.d/groups/apt/apt-cache | 13 ++- apparmor.d/groups/apt/apt-cdrom | 6 +- apparmor.d/groups/apt/apt-config | 5 +- apparmor.d/groups/apt/apt-extracttemplates | 13 ++- apparmor.d/groups/apt/apt-file | 7 +- apparmor.d/groups/apt/apt-forktracer | 18 +-- apparmor.d/groups/apt/dpkg-preconfigure | 6 +- apparmor.d/groups/apt/dpkg-query | 1 + apparmor.d/groups/apt/unattended-upgrade | 16 ++- 10 files changed, 113 insertions(+), 99 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 3301e999b..848ae80df 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -70,79 +70,81 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/snap rPUx, /{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, - /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, - /{usr/,}lib/update-notifier/update-motd-updates-available rPx, - /usr/share/command-not-found/cnf-update-db rPx, + + # For building the source after the download process is finished (apt-get source --compile) + /{usr/,}bin/dpkg-buildpackage rPUx, # Methods to use to download packages from the net - /{usr/,}lib/apt/methods/* rPx, + /{usr/,}lib/apt/methods/* rPx, + + # Ubuntu specificities + /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, + /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook rPx, + /{usr/,}lib/update-notifier/update-motd-updates-available rPx, + /usr/share/command-not-found/cnf-update-db rPx, + + # For editing the sources.list file + /{usr/,}bin/sensible-editor rCx -> editor, + /{usr/,}bin/vim.* rCx -> editor, + + # For changelogs + /{usr/,}bin/sensible-pager rCx -> pager, + + /etc/apt/sources.list rwk, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /var/cache/apt/ r, + /var/cache/apt/** rwk, /var/lib/apt/extended_states{,.*} rw, /var/lib/apt/lists/** rw, /var/lib/apt/lists/lock rwk, /var/lib/apt/periodic/update-success-stamp rw, - - /var/log/apt/eipp.log.xz w, - /var/log/apt/{term,history}.log w, - - # For building the source after the download process is finished (apt-get source --compile) - /{usr/,}bin/dpkg-buildpackage rPUx, - - # For editing the sources.list file - /etc/apt/sources.list rwk, - /{usr/,}bin/sensible-editor rCx -> editor, - /{usr/,}bin/vim.* rCx -> editor, - - # For changelogs - /tmp/apt-changelog-*/ w, - owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, - /tmp/apt-changelog-*/*.changelog w, - /{usr/,}bin/sensible-pager rCx -> pager, - /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, + /var/lib/update-notifier/dpkg-run-stamp rw, + + /var/log/apt/{term,history}.log w, + /var/log/apt/eipp.log.xz w, + + # For package building + @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + + /tmp/ r, + /tmp/apt-changelog-*/ w, + /tmp/apt-changelog-*/*.changelog w, + owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, + owner /tmp/apt-dpkg-install-*/ rw, + owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, + owner /tmp/apt.conf.* rw, + owner /tmp/apt.data.* rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, /dev/ptmx rw, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /tmp/ r, - owner /tmp/apt.conf.* rw, - owner /tmp/apt.data.* rw, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, - - /var/cache/apt/ r, - /var/cache/apt/** rwk, - - # For package building - @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - @{run}/systemd/inhibit/[0-9]*.ref rw, profile editor flags=(complain) { include include - /{usr/,}bin/sensible-editor mr, - /{usr/,}bin/vim.* mrix, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/which{,.debianutils} rix, - - owner @{HOME}/.selected_editor r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/sensible-editor mr, + /{usr/,}bin/vim.* mrix, + /{usr/,}bin/which{,.debianutils} rix, /usr/share/vim/{,**} r, - /etc/vim/{,**} r, - owner @{HOME}/.viminfo{,.tmp} rw, - - owner @{HOME}/.fzf/plugin/ r, - owner @{HOME}/.fzf/plugin/fzf.vim r, /etc/apt/sources.list rw, + /etc/vim/{,**} r, + + owner @{HOME}/.viminfo{,.tmp} rw, + owner @{HOME}/.selected_editor r, + owner @{HOME}/.fzf/plugin/ r, + owner @{HOME}/.fzf/plugin/fzf.vim r, } @@ -152,40 +154,37 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability dac_read_search, - /{usr/,}bin/ r, - /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/less rix, + /{usr/,}bin/sensible-pager mr, + /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/less rix, + /root/ r, # For shell pwd owner @{HOME}/.less* rw, owner /tmp/apt-changelog-*/ r, owner /tmp/apt-changelog-*/*.changelog r, - # For shell pwd - /root/ r, - } profile dpkg-source flags=(complain) { include - include include + include /{usr/,}bin/dpkg-source mr, /{usr/,}bin/perl r, - /{usr/,}bin/tar rix, /{usr/,}bin/bunzip2 rix, + /{usr/,}bin/chmod rix, /{usr/,}bin/gunzip rix, /{usr/,}bin/gzip rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/chmod rix, - /{usr/,}bin/patch rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/tar rix, + /{usr/,}bin/xz rix, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 5a47c906f..d12055448 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,23 +10,23 @@ include @{exec_path} = /{usr/,}bin/apt-cache profile apt-cache @{exec_path} { include - include include + include @{exec_path} mr, /{usr/,}bin/dpkg rPx -> child-dpkg, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/cache/apt/ r, /var/cache/apt/** rwk, - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 90e96c33c..48c0f8af8 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -9,8 +9,8 @@ include @{exec_path} = /{usr/,}bin/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include include + include capability dac_read_search, @@ -21,6 +21,8 @@ profile apt-cdrom @{exec_path} flags=(complain) { /{usr/,}bin/mount rCx -> mount, /{usr/,}bin/umount rCx -> umount, + /etc/fstab r, + # Are all of these needed? (#FIXME#) @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @@ -29,8 +31,6 @@ profile apt-cdrom @{exec_path} flags=(complain) { @{sys}/devices/**/uevent r, @{run}/udev/data/* r, - /etc/fstab r, - # For cd-roms /media/cdrom[0-9]/ r, /media/cdrom[0-9]/**/ r, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index bd3d7df8c..531b1f706 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,8 +10,8 @@ include @{exec_path} = /{usr/,}bin/apt-config profile apt-config @{exec_path} { include - include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 49c8253e4..d12e78163 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -16,15 +17,17 @@ profile apt-extracttemplates @{exec_path} { /{usr/,}bin/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/ r, - /var/cache/apt/ r, /var/cache/apt/** rwk, - owner /tmp/*.{config,template}.?????? rw, - # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + owner /tmp/*.{config,template}.?????? rw, + + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 215eb3a67..727e3f3ce 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -25,13 +26,13 @@ profile apt-file @{exec_path} { /etc/apt/apt-file.conf r, - owner @{PROC}/@{pid}/fd/ r, - # For shell pwd /root/ r, # file_inherit /var/log/cron-apt/temp w, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 0641c9bc4..c9061155a 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,8 +10,8 @@ include @{exec_path} = /{usr/,}bin/apt-forktracer profile apt-forktracer @{exec_path} { include - include include + include @{exec_path} mr, @@ -19,21 +20,20 @@ profile apt-forktracer @{exec_path} { /{usr/,}bin/apt-cache rPx, /usr/share/apt-forktracer/{,**} r, + /usr/share/distro-info/debian.csv r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, /var/lib/apt/lists/ r, /var/lib/apt/lists/*_InRelease r, /var/cache/apt/pkgcache.bin{,.*} rw, - /usr/share/distro-info/debian.csv r, - - owner @{PROC}/@{pid}/fd/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - /etc/dpkg/origins/debian r, /etc/debian_version r, + owner @{PROC}/@{pid}/fd/ r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index bd958a399..586947e83 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -35,6 +36,7 @@ profile dpkg-preconfigure @{exec_path} { owner /tmp/*.config.* rwPUx, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, + owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. include @@ -44,9 +46,7 @@ profile dpkg-preconfigure @{exec_path} { capability dac_read_search, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, - owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query index 8cb2f05d8..8a52dd1ee 100644 --- a/apparmor.d/groups/apt/dpkg-query +++ b/apparmor.d/groups/apt/dpkg-query @@ -23,6 +23,7 @@ profile dpkg-query @{exec_path} { # file_inherit /tmp/#[0-9]*[0-9] rw, + /dev/tty[0-9]* rw, include if exists } diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8f851253f..fbc8821ed 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -43,19 +43,25 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/ r, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/gdbus rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/test rix, + /{usr/,}bin/touch rix, + /{usr/,}bin/uname rix, + /{usr/,}{s,}bin/dpkg-preconfigure rPx, /{usr/,}{s,}bin/on_ac_power rPx, /{usr/,}{s,}bin/sendmail rPUx, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/apt-listchanges rPx, /{usr/,}bin/dpkg rPx, /{usr/,}bin/etckeeper rPx, - /{usr/,}bin/ischroot rix, /{usr/,}bin/lsb_release rPx -> lsb_release, - /{usr/,}bin/python3.[0-9]* rix, - /{usr/,}bin/uname rix, /{usr/,}lib/apt/methods/http{,s} rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, + /{usr/,}lib/update-notifier/update-motd-updates-available rPx, /usr/share/distro-info/* r, /usr/share/dpkg/*table r, @@ -93,5 +99,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, + /dev/ptmx rw, + include if exists } \ No newline at end of file