fix(profile): various fixes from issue raised by the CI.

2025-07-21 22:17:03 +02:00 · 2025-07-21 22:17:03 +02:00 · 1dace30af3
commit 1dace30af3
parent d4210c99d1
7 changed files with 18 additions and 1 deletions
--- a/apparmor.d/groups/apt/dpkg-script-systemd
+++ b/apparmor.d/groups/apt/dpkg-script-systemd
@ -11,6 +11,8 @@ profile dpkg-script-systemd @{exec_path} {
  include <abstractions/base>
  include <abstractions/common/debconf>

+  capability dac_read_search,
+
  @{exec_path} mrix,

  @{coreutils_path}               rix,
@ -21,7 +23,7 @@ profile dpkg-script-systemd @{exec_path} {
  @{bin}/dpkg-divert               Px,
  @{bin}/dpkg-maintscript-helper   Px,
  @{bin}/journalctl                Px,
-  @{bin}/kernel-install            Px,
+  @{bin}/kernel-install          mrPx,
  @{bin}/systemctl                 Cx -> systemctl,
  @{bin}/systemd-machine-id-setup  Px,
  @{bin}/systemd-sysusers          Px,
@ -35,11 +37,14 @@ profile dpkg-script-systemd @{exec_path} {
  /etc/pam.d/sed@{rand6} rw,
  /etc/pam.d/common-password  rw,

+  @{efi}/ r,
+
  /var/lib/systemd/{,*} rw,
  /var/log/journal/ rw,

  profile dpkg {
    include <abstractions/base>
+    include <abstractions/consoles>
    include <abstractions/common/apt>

    capability dac_read_search,
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@ -16,6 +16,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  capability linux_immutable,
  capability mknod,
  capability net_admin,
+  capability sys_rawio,
  capability sys_resource,

  signal send peer=child-pager,
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@ -17,6 +17,10 @@ profile localectl @{exec_path} {
  signal send set=cont peer=child-pager,

  #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
+  dbus send bus=system path=/org/freedesktop/locale1
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.locale1),

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -17,6 +17,10 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system,

  #aa:dbus own bus=system name=org.freedesktop.locale1
+  dbus send bus=system path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=Reload
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@ -33,6 +33,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)
  @{att}/@{run}/systemd/notify w,
  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
  @{att}/@{run}/systemd/userdb/io.systemd.Home rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Machine rw,

  @{run}/systemd/userdb/{,**} rw,

--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -73,6 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  @{bin}/kmod                    rCx -> kmod,
  @{bin}/ps                      rPx,
  @{sbin}/runc                   rUx,
+  @{bin}/runc                    rUx, #aa:lint ignore
  @{bin}/unpigz                  rix,
  @{sbin}/xtables-nft-multi      rCx -> nft,
  @{sbin}/xtables-legacy-multi   rCx -> nft,
--- a/apparmor.d/profiles-g-l/kernel-install
+++ b/apparmor.d/profiles-g-l/kernel-install
@ -14,6 +14,7 @@ profile kernel-install @{exec_path} {
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>

+  capability sys_rawio,
  capability sys_resource,

  ptrace read peer=@{p_systemd},