diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 2abd381b8..3d0e5b0c4 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/grub-bios-setup -profile grub-bios-setup @{exec_path} flags=(complain) { +profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures new file mode 100644 index 000000000..a521a0f91 --- /dev/null +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/grub/grub-check-signatures +profile grub-check-signatures @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{m,g,}awk rix, + /{usr/,}bin//mktemp rix, + /{usr/,}bin//od rix, + + owner /tmp/tmp.*/ rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 042887e3d..5917b08ce 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-editenv -profile grub-editenv @{exec_path} flags=(complain) { +profile grub-editenv @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file index ccf58d6c4..dccf5d637 100644 --- a/apparmor.d/groups/grub/grub-file +++ b/apparmor.d/groups/grub/grub-file @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-file -profile grub-file @{exec_path} flags=(complain) { +profile grub-file @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest index caf64ee2c..72b027a25 100644 --- a/apparmor.d/groups/grub/grub-fstest +++ b/apparmor.d/groups/grub/grub-fstest @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-fstest -profile grub-fstest @{exec_path} flags=(complain) { +profile grub-fstest @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi index aeb59a8df..f6b59cf77 100644 --- a/apparmor.d/groups/grub/grub-glue-efi +++ b/apparmor.d/groups/grub/grub-glue-efi @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-glue-efi -profile grub-glue-efi @{exec_path} flags=(complain) { +profile grub-glue-efi @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index cca0605c2..5a513fd7b 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only @@ -10,9 +11,30 @@ include profile grub-install @{exec_path} flags=(complain) { include include + include @{exec_path} mr, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/udevadm rPx, + + /etc/default/grub.d/{,**} r, + + /boot/efi/EFI/BOOT/{,**} rw, + /boot/grub/{,**} rw, + + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/w_platform_size r, + + @{PROC}/devices r, + owner @{PROC}/@{pid}/mountinfo r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp index fce678809..fc17178d2 100644 --- a/apparmor.d/groups/grub/grub-kbdcomp +++ b/apparmor.d/groups/grub/grub-kbdcomp @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-kbdcomp -profile grub-kbdcomp @{exec_path} flags=(complain) { +profile grub-kbdcomp @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index 49f08fd1e..0aad39a5f 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/grub-macbless -profile grub-macbless @{exec_path} flags=(complain) { +profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg index b2f5ca590..d14f7c7e5 100644 --- a/apparmor.d/groups/grub/grub-menulst2cfg +++ b/apparmor.d/groups/grub/grub-menulst2cfg @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-menulst2cfg -profile grub-menulst2cfg @{exec_path} flags=(complain) { +profile grub-menulst2cfg @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 91ebc8ee9..5d85d1cd2 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/grub-mkconfig -profile grub-mkconfig @{exec_path} flags=(complain) { +profile grub-mkconfig @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 306173901..4b1c7de9f 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/grub-mkdevicemap -profile grub-mkdevicemap @{exec_path} flags=(complain) { +profile grub-mkdevicemap @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont index a0ace1a2a..60ebb3fc0 100644 --- a/apparmor.d/groups/grub/grub-mkfont +++ b/apparmor.d/groups/grub/grub-mkfont @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-mkfont -profile grub-mkfont @{exec_path} flags=(complain) { +profile grub-mkfont @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage index 2b6212a0a..9ab08c47c 100644 --- a/apparmor.d/groups/grub/grub-mkimage +++ b/apparmor.d/groups/grub/grub-mkimage @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-mkimage -profile grub-mkimage @{exec_path} flags=(complain) { +profile grub-mkimage @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout index b9a514b72..80a7dbec3 100644 --- a/apparmor.d/groups/grub/grub-mklayout +++ b/apparmor.d/groups/grub/grub-mklayout @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-mklayout -profile grub-mklayout @{exec_path} flags=(complain) { +profile grub-mklayout @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir index 4f37e31a0..94cccd1ed 100644 --- a/apparmor.d/groups/grub/grub-mknetdir +++ b/apparmor.d/groups/grub/grub-mknetdir @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-mknetdir -profile grub-mknetdir @{exec_path} flags=(complain) { +profile grub-mknetdir @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 index ef9e5c6da..840d8589d 100644 --- a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 +++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-mkpasswd-pbkdf2 -profile grub-mkpasswd-pbkdf2 @{exec_path} flags=(complain) { +profile grub-mkpasswd-pbkdf2 @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 76e7c0a3f..5e5e532d9 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/grub-mkrelpath -profile grub-mkrelpath @{exec_path} flags=(complain) { +profile grub-mkrelpath @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue index 9948ac15f..f4996dd05 100644 --- a/apparmor.d/groups/grub/grub-mkrescue +++ b/apparmor.d/groups/grub/grub-mkrescue @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-mkrescue -profile grub-mkrescue @{exec_path} flags=(complain) { +profile grub-mkrescue @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone index 90e3a4c46..b2474be7f 100644 --- a/apparmor.d/groups/grub/grub-mkstandalone +++ b/apparmor.d/groups/grub/grub-mkstandalone @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-mkstandalone -profile grub-mkstandalone @{exec_path} flags=(complain) { +profile grub-mkstandalone @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount index b855d7e45..90d875236 100644 --- a/apparmor.d/groups/grub/grub-mount +++ b/apparmor.d/groups/grub/grub-mount @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-mount -profile grub-mount @{exec_path} flags=(complain) { +profile grub-mount @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install new file mode 100644 index 000000000..989062712 --- /dev/null +++ b/apparmor.d/groups/grub/grub-multi-install @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/grub/grub-multi-install +profile grub-multi-install @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}{s,}bin/grub-install rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/readlink rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/sort rix, + /{usr/,}bin/udevadm rPx, + /{usr/,}bin/touch rix, + + /usr/lib/terminfo/x/xterm-256color r, + + /boot/grub/grub.cfg rw, + + @{PROC}/filesystems r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img index 6b8c10722..da3cb7c5b 100644 --- a/apparmor.d/groups/grub/grub-ntldr-img +++ b/apparmor.d/groups/grub/grub-ntldr-img @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-ntldr-img -profile grub-ntldr-img @{exec_path} flags=(complain) { +profile grub-ntldr-img @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 416d25e1c..27c83ae37 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only @@ -7,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/grub-probe -profile grub-probe @{exec_path} flags=(complain) { +profile grub-probe @{exec_path} { include include include @@ -15,14 +16,29 @@ profile grub-probe @{exec_path} flags=(complain) { capability sys_admin, @{exec_path} mr, + + /{usr/,}{local/,}{s,}bin/zpool rPx, + /{usr/,}{s,}bin/lvm rPx, /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/udevadm rPx, - /{usr/,}{local/,}{s,}bin/zpool rPx, + + / r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, + /dev/*vg*/ r, + /dev/bsg/ r, + /dev/cpu/ r, + /dev/cpu/[0-9]*/ r, + /dev/dri/ r, + /dev/dri/by-path/ r, + /dev/hugepages/ r, /dev/mapper/control rw, + /dev/mqueue/ r, + /dev/shm/ r, + /dev/snd/ r, + /dev/snd/by-path/ r, include if exists } diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index f16643fff..361ec7ceb 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/grub-reboot -profile grub-reboot @{exec_path} flags=(complain) { +profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label index 8749c265c..b2f3091f3 100644 --- a/apparmor.d/groups/grub/grub-render-label +++ b/apparmor.d/groups/grub/grub-render-label @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-render-label -profile grub-render-label @{exec_path} flags=(complain) { +profile grub-render-label @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 643797e1a..18706518e 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-script-check -profile grub-script-check @{exec_path} flags=(complain) { +profile grub-script-check @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index fe8201d6c..15906373a 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/grub-set-default -profile grub-set-default @{exec_path} flags=(complain) { +profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg index 487e61680..f03d70a96 100644 --- a/apparmor.d/groups/grub/grub-syslinux2cfg +++ b/apparmor.d/groups/grub/grub-syslinux2cfg @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/grub-syslinux2cfg -profile grub-syslinux2cfg @{exec_path} flags=(complain) { +profile grub-syslinux2cfg @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index a59d80b9c..883e679d8 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/update-grub{2,} -profile update-grub @{exec_path} flags=(complain) { +profile update-grub @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 9e018e0a2..9804592ac 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -33,6 +33,10 @@ profile frontend @{exec_path} flags=(complain) { /{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel, /usr/share/debian-security-support/check-support-status.hook rPx, + # Grub + /{usr/,}lib/grub/grub-multi-install rPx, + /usr/share/grub/grub-check-signatures rPx, + # Run the package maintainer's scripts # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) #/var/lib/dpkg/info/*.{config,templates} rPUx, diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 5ed5c8966..321614bb5 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only @@ -7,11 +8,15 @@ abi , include @{exec_path} = /{usr/,}{,s}bin/update-secureboot-policy -profile update-secureboot-policy @{exec_path} flags=(complain) { +profile update-secureboot-policy @{exec_path} { include + include @{exec_path} rm, - /usr/share/debconf/frontend rPx, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/dpkg-trigger rPx, + /usr/share/debconf/frontend rPx, include if exists } \ No newline at end of file diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6e4770f56..b9a7b174f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -81,6 +81,33 @@ gnome-system-monitor attach_disconnected,complain gnome-terminal-server complain gnome-tweaks complain gpg complain +grub-bios-setup complain +grub-editenv complain +grub-file complain +grub-fstest complain +grub-glue-efi complain +grub-kbdcomp complain +grub-macbless complain +grub-menulst2cfg complain +grub-mkconfig complain +grub-mkdevicemap complain +grub-mkfont complain +grub-mkimage complain +grub-mklayout complain +grub-mknetdir complain +grub-mkpasswd-pbkdf2 complain +grub-mkrelpath complain +grub-mkrescue complain +grub-mkstandalone complain +grub-mount complain +grub-multi-install complain +grub-ntldr-img complain +grub-probe complain +grub-reboot complain +grub-render-label complain +grub-script-check complain +grub-set-default complain +grub-syslinux2cfg complain gsd-media-keys attach_disconnected,complain gsd-print-notifications attach_disconnected,complain gsd-printer attach_disconnected,complain @@ -213,6 +240,8 @@ udisksctl complain udisksd attach_disconnected,complain umount complain umount.udisks2 complain +update-grub complain +update-secureboot-policy complain uptimed complain userdbctl complain virt-manager attach_disconnected,complain