From 334b48749a67f97d2eab517ce8418807965390ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 4 Mar 2025 22:33:42 +0100 Subject: [PATCH] feat(profile): various minor update. --- apparmor.d/groups/bus/dbus-system | 2 ++ apparmor.d/groups/filesystem/lvm | 1 + apparmor.d/groups/gnome/gnome-shell | 2 ++ apparmor.d/groups/shadow/chpasswd | 8 ++++++++ apparmor.d/groups/snap/snapd | 5 +++++ apparmor.d/groups/ssh/ssh | 3 ++- apparmor.d/groups/ssh/sshd | 12 ++++++------ apparmor.d/groups/systemd/systemd-coredump | 2 ++ apparmor.d/groups/systemd/systemd-update-utmp | 2 +- apparmor.d/groups/systemd/systemd-vconsole-setup | 2 +- apparmor.d/groups/ubuntu/release-upgrade-motd | 2 ++ apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot | 2 ++ apparmor.d/groups/utils/login | 1 - apparmor.d/groups/utils/uname | 3 +++ apparmor.d/groups/virt/dockerd | 3 +++ apparmor.d/profiles-a-f/console-setup | 1 + apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-a-f/fractal | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 2 ++ apparmor.d/profiles-m-r/run-parts | 2 ++ apparmor.d/profiles-s-z/tlp | 3 +++ 21 files changed, 51 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 0296a262f..cafaf0570 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -63,6 +63,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + @{run}/systemd/notify w, @{run}/systemd/users/@{int} r, @@ -78,6 +79,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index 75cd0de80..a73262d75 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -30,6 +30,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { @{etc_rw}/lvm/** rwkl, /etc/multipath.conf r, + /etc/multipath/* r, @{run}/lock/ rw, @{run}/lock/lvm/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f2ff71f03..ee4bfe33b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -269,6 +269,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, + owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/groups/shadow/chpasswd index 869ba20ab..4b752a440 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -9,13 +9,18 @@ include @{exec_path} = @{bin}/chpasswd profile chpasswd @{exec_path} { include + include include include + capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, + network netlink raw, + @{exec_path} mr, @{etc_ro}/login.defs r, @@ -32,6 +37,9 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, + /etc/pam.d/chpasswd r, + /etc/pam.d/common-* r, + include if exists } diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 273b68fc5..3e6a4460a 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -57,6 +57,11 @@ profile snapd @{exec_path} { member={SetWallMessage,ScheduleShutdown} peer=(name=org.freedesktop.login1, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1, label=unconfined), + @{exec_path} mrix, @{bin}/adduser rPx, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0c86919b1..bdbcf8fa6 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -45,7 +45,8 @@ profile ssh @{exec_path} { audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 21892cc47..f6638d5d9 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -62,12 +62,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{bin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/openssh/sftp-server rPx, - @{lib}/ssh/sshd-session rix, + @{bin}/@{shells} rUx, + @{bin}/false rix, + @{bin}/nologin rPx, + @{bin}/passwd rPx, + @{lib}/{openssh,ssh}/sftp-server rPx, + @{lib}/{openssh,ssh}/sshd-session rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index b26dabae7..856bee914 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,6 +39,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, + owner @{HOME}/**.so r, + /var/lib/systemd/coredump/{,**} rwl, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 1a2ff9a31..82025859b 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { network netlink raw, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/, + unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 5f28050c1..8c99d606c 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-vconsole-setup -profile systemd-vconsole-setup @{exec_path} { +profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 08a54df0a..b5d7d2885 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -22,6 +22,8 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 86ac61f41..77b24fa27 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -25,6 +25,8 @@ profile update-motd-fsck-at-reboot @{exec_path} { /var/lib/update-notifier/fsck-at-reboot rw, + @{run}/motd.dynamic.new w, + @{PROC}/uptime r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index f83c1687e..dbf334577 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -62,7 +62,6 @@ profile login @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/sessions/@{int}.ref w, @{run}/credentials/getty@tty@{int}.service/ r, - @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 45a864c23..6ca8a6370 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -14,6 +14,9 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{lib}/@{multiarch}/ld-linux-*so* r, + @{lib}/@{multiarch}/libc.so* mr, + @{att}/dev/tty@{int} rw, deny network, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 2e2d36355..b2228ec6f 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -21,6 +21,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability net_admin, + capability net_raw, capability setfcap, capability sys_admin, capability sys_chroot, @@ -31,6 +32,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network inet6 stream, network netlink raw, + network packet dgram, mount /tmp/containerd-mount@{int}/, mount /var/lib/docker/**/, @@ -91,6 +93,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{run}/docker/** rwlk, owner @{run}/docker.pid rw, + @{sys}/devices/virtual/net/** r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index d3aaddf7f..5b867e1eb 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -15,6 +15,7 @@ profile console-setup @{exec_path} { @{bin}/uname rPx, @{bin}/mkdir rix, + @{run}/console-setup/ rw, @{run}/console-setup/boot_completed w, include if exists diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 0c5a18e83..269a3b02a 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -47,6 +47,7 @@ profile file-roller @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 9de5761c2..0895d12eb 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -33,6 +33,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/@{rand6} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index fb9b75824..44c7a8ac7 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -32,6 +32,8 @@ profile landscape-sysinfo.wrapper @{exec_path} { /var/lib/landscape/landscape-sysinfo.cache rw, + @{run}/motd.dynamic.new w, + @{PROC}/loadavg r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index d0ecbbd9e..f50b23199 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -154,6 +154,8 @@ profile run-parts @{exec_path} { owner @{sys}/class/power_supply/ r, + @{run}/motd.dynamic.new w, + /dev/tty@{int} rw, profile motd { diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 5d81c0a75..04e3b7ffc 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -44,6 +44,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/mktemp rix, @{bin}/readlink rix, @{bin}/rm rix, + @{bin}/sed rix, @{bin}/sort rix, @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @@ -71,7 +72,9 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/{,**/}power/control w, + @{sys}/devices/@{pci}/class r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw,