update apparmor profiles

2021-09-07 01:24:39 +02:00 · 2021-09-07 01:24:39 +02:00 · 2a6b2bd189
commit 2a6b2bd189
parent efda369670
70 changed files with 221 additions and 144 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -127,7 +127,7 @@ profile apt @{exec_path} flags=(complain) {
    /{usr/,}bin/sensible-editor mr,
    /{usr/,}bin/vim.*           mrix,
    /{usr/,}bin/{,ba,da}sh       rix,
-    /{usr/,}bin/which            rix,
+    /{usr/,}bin/which{,.debianutils}            rix,

    owner @{HOME}/.selected_editor r,

--- a/apparmor.d/groups/apt/apt-forktracer
+++ b/apparmor.d/groups/apt/apt-forktracer
@ -29,6 +29,8 @@ profile apt-forktracer @{exec_path} {
  /var/lib/apt/lists/ r,
  /var/lib/apt/lists/*_InRelease r,

+  /var/cache/apt/pkgcache.bin{,.*} rw,
+
  /usr/share/distro-info/debian.csv r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/apt/apt-get
+++ b/apparmor.d/groups/apt/apt-get
@ -136,7 +136,7 @@ profile apt-get @{exec_path} flags=(complain) {
    /{usr/,}bin/sensible-pager mr,
    /{usr/,}bin/{,ba,da}sh    rix,

-    /{usr/,}bin/which         rix,
+    /{usr/,}bin/which{,.debianutils}         rix,
    /{usr/,}bin/less          rix,

    owner @{HOME}/.less* rw,
--- a/apparmor.d/groups/apt/apt-listchanges
+++ b/apparmor.d/groups/apt/apt-listchanges
@ -84,7 +84,7 @@ profile apt-listchanges @{exec_path} {

    /{usr/,}bin/           r,
    /{usr/,}bin/{,ba,da}sh rix,
-    /{usr/,}bin/which      rix,
+    /{usr/,}bin/which{,.debianutils}      rix,
    /{usr/,}bin/less       rix,

    owner @{HOME}/.less* rw,
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@ -45,6 +45,8 @@ profile apt-methods-gpgv @{exec_path} {
  /{usr/,}bin/sed       rix,
  /{usr/,}bin/sort      rix,
  /{usr/,}bin/touch     rix,
+  /{usr/,}bin/gawk      rix,
+  /{usr/,}bin/base64    rix,

  # For shell pwd
  / r,
@ -78,7 +80,10 @@ profile apt-methods-gpgv @{exec_path} {

  # Local keyring storage
  /etc/keyrings/ r,
-  /etc/keyrings/*.gpg r,
+  /etc/keyrings/*.{gpg,asc} r,
+
+  # Extrepo keyring storage
+  /var/lib/extrepo/keys/*.{gpg,asc} r,

  # For package building
  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@ -23,7 +23,7 @@ profile apt-systemd-daily @{exec_path} {
  /{usr/,}bin/rm         rix,
  /{usr/,}bin/mv         rix,
  /{usr/,}bin/savelog    rix,
-  /{usr/,}bin/which      rix,
+  /{usr/,}bin/which{,.debianutils}      rix,
  /{usr/,}bin/touch      rix,
  /{usr/,}bin/basename   rix,
  /{usr/,}bin/dirname    rix,
--- a/apparmor.d/groups/apt/aptitude
+++ b/apparmor.d/groups/apt/aptitude
@ -174,7 +174,7 @@ profile aptitude @{exec_path} flags=(complain) {
    /{usr/,}bin/sensible-pager mr,
    /{usr/,}bin/{,ba,da}sh rix,

-    /{usr/,}bin/which      rix,
+    /{usr/,}bin/which{,.debianutils}      rix,
    /{usr/,}bin/less       rix,

    owner @{HOME}/.less* rw,
--- a/apparmor.d/groups/apt/aptitude-create-state-bundle
+++ b/apparmor.d/groups/apt/aptitude-create-state-bundle
@ -15,7 +15,7 @@ profile aptitude-create-state-bundle @{exec_path} {
  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,

-  /{usr/,}bin/which      rix,
+  /{usr/,}bin/which{,.debianutils}      rix,
  /{usr/,}bin/tar        rix,
  /{usr/,}bin/bzip2      rix,
  /{usr/,}bin/gzip       rix,
--- a/apparmor.d/groups/apt/cron-apt-compat
+++ b/apparmor.d/groups/apt/cron-apt-compat
@ -21,7 +21,7 @@ profile cron-apt-compat @{exec_path} {
  /{usr/,}bin/dd                    rix,
  /{usr/,}bin/cksum                 rix,
  /{usr/,}bin/cut                   rix,
-  /{usr/,}bin/which                 rix,
+  /{usr/,}bin/which{,.debianutils}                 rix,
  /{usr/,}bin/sleep                 rix,

  include if exists <local/cron-apt-compat>
--- a/apparmor.d/groups/apt/cron-apt-xapian-index
+++ b/apparmor.d/groups/apt/cron-apt-xapian-index
@ -13,7 +13,7 @@ profile cron-apt-xapian-index @{exec_path} {
  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,

-  /{usr/,}bin/which      rix,
+  /{usr/,}bin/which{,.debianutils}      rix,
  /{usr/,}bin/{,e}grep   rix,

  /{usr/,}bin/nice       rix,
--- a/apparmor.d/groups/apt/cron-aptitude
+++ b/apparmor.d/groups/apt/cron-aptitude
@ -16,7 +16,7 @@ profile cron-aptitude @{exec_path} {
  /{usr/,}bin/cp         rix,
  /{usr/,}bin/date       rix,
  /{usr/,}bin/basename   rix,
-  /{usr/,}bin/which      rix,
+  /{usr/,}bin/which{,.debianutils}      rix,
  /{usr/,}bin/dirname    rix,
  /{usr/,}bin/rm         rix,
  /{usr/,}bin/mv         rix,
--- a/apparmor.d/groups/apt/cron-popularity-contest
+++ b/apparmor.d/groups/apt/cron-popularity-contest
@ -65,7 +65,7 @@ profile cron-popularity-contest @{exec_path} {

    /{usr/,}bin/date       rix,
    /{usr/,}bin/basename   rix,
-    /{usr/,}bin/which      rix,
+    /{usr/,}bin/which{,.debianutils}      rix,
    /{usr/,}bin/dirname    rix,
    /{usr/,}bin/rm         rix,
    /{usr/,}bin/mv         rix,
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -92,9 +92,12 @@ profile reportbug @{exec_path} {
  @{sys}/module/apparmor/parameters/enabled r,

  owner     /tmp/reportbug-*-[0-9]*-@{pid}-* rw,
-  owner     /tmp/[a-z0-9]* rw,
+  owner     /tmp/* rw,
  owner /var/tmp/*.bug{,~} rw,

+  owner @{HOME}/draftbugreports/ r,
+  owner @{HOME}/draftbugreports/reportbug-* rw,
+
  # Allowed apps to open
  /{usr/,}lib/firefox/firefox rPUx,

@ -114,7 +117,8 @@ profile reportbug @{exec_path} {
    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

-    owner /tmp/reportbug-*-{signed,unsigned}-[0-9]*-[0-9]*-* rw,
+    owner /tmp/reportbug-*-{signed,unsigned}-* rw,
+    owner @{HOME}/draftbugreports/reportbug-*-{signed,unsigned}-* rw,

  }