feat(profiles): general update.

apparmor.d/profiles-s-z/snap

@@ -18,6 +18,7 @@ profile snap @{exec_path} {
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
   capability sys_admin,
 
   unix (send, receive) type=stream peer=(label=apt),

apparmor.d/profiles-s-z/snap-failure

@@ -14,9 +14,8 @@ profile snap-failure @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/systemctl rPx -> child-systemctl,
-
-  @{lib_dirs}/snapd/snapd rPx,
+  @{bin}/systemctl         rPx -> child-systemctl,
+  @{lib_dirs}/snapd/snapd  rPx -> snapd,
 
   /var/lib/snapd/sequence/snapd.json r,
 

apparmor.d/profiles-s-z/snap-update-ns

@@ -18,18 +18,21 @@ profile snap-update-ns @{exec_path} {
 
   network netlink raw,
 
-  mount -> /snap/**/,
-  mount -> /usr/**/,
+  mount -> /boot/,
+  mount -> /snap/**,
+  mount -> /tmp/.snap/**,
+  mount -> /usr/**,
   mount -> /var/lib/dhcp/,
-  mount /snap/**/ -> /tmp/.snap/**,
-  umount /snap/**/,
+  umount /snap/**,
   umount /var/lib/dhcp/,
 
   @{exec_path} mr,
 
   /var/lib/snapd/mount/{,*} r,
 
+  / r,
   /snap/{,**} rw,
+  /tmp/ r,
   /tmp/.snap/{,**} rwk,
 
   @{run}/snapd/lock/*.lock rwk,

apparmor.d/profiles-s-z/snapd

@@ -64,7 +64,6 @@ profile snapd @{exec_path} {
   @{exec_path} mrix,
 
   @{bin}/adduser                  rPx,
-  @{bin}/cloud-init              rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
   @{bin}/groupadd                 rPx,
   @{bin}/hostnamectl              rPx,
   @{bin}/ssh-keygen               rPx,
@@ -93,9 +92,9 @@ profile snapd @{exec_path} {
   @{lib_dirs}/@{multiarch}/**         mr,
   @{lib_dirs}/@{multiarch}/ld-*.so   rix,
   @{lib_dirs}/snapd/apparmor_parser  rPx -> apparmor_parser,
-  @{lib_dirs}/snapd/snap-discard-ns  rPx,
-  @{lib_dirs}/snapd/snap-seccomp     rPx,
-  @{lib_dirs}/snapd/snap-update-ns   rPx,
+  @{lib_dirs}/snapd/snap-discard-ns  rPx -> snap-discard-ns,
+  @{lib_dirs}/snapd/snap-seccomp     rPx -> snap-seccomp,
+  @{lib_dirs}/snapd/snap-update-ns   rPx -> snap-update-ns,
 
   /usr/share/bash-completion/{,**} r,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
@@ -129,7 +128,6 @@ profile snapd @{exec_path} {
   /tmp/syscheck-squashfs-[0-9]* rw,
   /tmp/read-file[0-9]*/{,**} rw,
 
-
   /boot/ r,
   /boot/grub/grubenv r, 
 

apparmor.d/profiles-s-z/swapon

@@ -18,8 +18,9 @@ profile swapon @{exec_path} {
 
   /etc/fstab r,
 
-  owner /swapfile rw,
+  owner /swap.img rw,
   owner /swap/swapfile rw,
+  owner /swapfile rw,
 
   @{PROC}/swaps r,
 

apparmor.d/profiles-s-z/update-cracklib

@@ -21,6 +21,7 @@ profile update-cracklib @{exec_path} {
   @{bin}/find                 rix,
   @{bin}/grep                 rix,
   @{bin}/gzip                 rix,
+  @{bin}/install              rix,
   @{bin}/sort                 rix,
   @{bin}/tr                   rix,
 
@@ -30,7 +31,9 @@ profile update-cracklib @{exec_path} {
   /etc/magic r,
   /etc/cracklib/cracklib.conf r,
 
-  /var/cache/cracklib/{,**} rw,
+  owner /var/cache/cracklib/{,**} rw,
+
+  owner /tmp/sort@{rand6} rw,
 
   include if exists <local/update-cracklib>
 }