From 25049292ebd9f02dd0bfc4925dcacb2144a94b62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Oct 2024 11:39:49 +0100 Subject: [PATCH] feat(profile): improve integration with Tumbleweed. see #576 --- apparmor.d/groups/freedesktop/fc-list | 1 + apparmor.d/groups/gpg/gpg-agent | 1 + apparmor.d/groups/gpg/gpgsm | 1 + apparmor.d/groups/systemd/systemd-escape | 1 + apparmor.d/groups/systemd/systemd-hwdb | 6 +++--- apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/systemd/systemd-sysusers | 6 +++--- apparmor.d/profiles-a-f/blkid | 4 ++++ apparmor.d/profiles-g-l/issue-generator | 1 + apparmor.d/profiles-g-l/lsblk | 2 +- apparmor.d/profiles-s-z/sync | 4 ++++ 11 files changed, 21 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index 3f2fb4e02..ffe996c52 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/fc-list profile fc-list @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent index 75bb7583f..708ccc5f3 100644 --- a/apparmor.d/groups/gpg/gpg-agent +++ b/apparmor.d/groups/gpg/gpg-agent @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/gpg-agent profile gpg-agent @{exec_path} { include + include include signal (receive) peer=pinentry-*, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 364c05f73..bfa71cf53 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/gpgsm profile gpgsm @{exec_path} { include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape index 0a38bf0fb..4a542497f 100644 --- a/apparmor.d/groups/systemd/systemd-escape +++ b/apparmor.d/groups/systemd/systemd-escape @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemd-escape profile systemd-escape @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index 5664cde02..9b6203e92 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bind* rw, - /etc/udev/hwdb.bin rw, + /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int}, + /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 4f95bed40..cc1f541dd 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -64,6 +64,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/b8:@{int} r, # for /dev/sd* @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index d6b1cb266..e1ca76d57 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -19,9 +19,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, # Config file locations - /etc/sysusers.d/*.conf r, - @{run}/sysusers.d/*.conf r, - /usr/lib/sysusers.d/*.conf r, + /etc/sysusers.d/{,*.conf} r, + @{run}/sysusers.d/{,*.conf} r, + /usr/lib/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 4aea919b4..903e2cb62 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -40,6 +40,10 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{PROC}/partitions r, @{PROC}/swaps r, + # Other possible location of the cache file + /dev/.blkid.tab{,-@{rand6}} rw, + /dev/blkid.tab.old rwl -> /dev/blkid.tab, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 6c6d61c44..3602a1a1e 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/issue-generator profile issue-generator @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index 147e1ba24..7559e4e48 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lsblk -profile lsblk @{exec_path} { +profile lsblk @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 3b18ad36e..907def2b1 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -13,6 +13,10 @@ profile sync @{exec_path} { @{exec_path} mr, + # Common paths where sync is used to flush all write operations on a single file to disk + # TODO: /** rw, ? + /boot/initrd-*-default rw, + include if exists }