feat(profile): various minor update.

2025-03-04 22:33:42 +01:00 · 2025-03-04 22:33:42 +01:00 · 334b48749a
commit 334b48749a
parent d49e93523f
21 changed files with 51 additions and 10 deletions
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -63,6 +63,7 @@ profile dbus-system flags=(attach_disconnected) {

  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
+
  @{run}/systemd/notify w,
  @{run}/systemd/users/@{int} r,

@ -78,6 +79,7 @@ profile dbus-system flags=(attach_disconnected) {
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_score_adj rw,

--- a/apparmor.d/groups/filesystem/lvm
+++ b/apparmor.d/groups/filesystem/lvm
@ -30,6 +30,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {

  @{etc_rw}/lvm/** rwkl,
  /etc/multipath.conf r,
+  /etc/multipath/* r,

  @{run}/lock/ rw,
  @{run}/lock/lvm/ rw,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -269,6 +269,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,

+  owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw,
+  owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w,
  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
  owner @{user_cache_dirs}/gnome-photos/{,**} r,
--- a/apparmor.d/groups/shadow/chpasswd
+++ b/apparmor.d/groups/shadow/chpasswd
@ -9,13 +9,18 @@ include <tunables/global>
@{exec_path} = @{bin}/chpasswd
 profile chpasswd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-system>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

+  capability audit_write,
  capability chown,
  capability fsetid,
+  capability net_admin,
  capability setuid,

+  network netlink raw,
+
  @{exec_path} mr,

  @{etc_ro}/login.defs r,
@ -32,6 +37,9 @@ profile chpasswd @{exec_path} {
  /etc/shadow.lock w,
  /etc/shadow+ rw,

+  /etc/pam.d/chpasswd r,
+  /etc/pam.d/common-* r,
+
  include if exists <local/chpasswd>
 }

--- a/apparmor.d/groups/snap/snapd
+++ b/apparmor.d/groups/snap/snapd
@ -57,6 +57,11 @@ profile snapd @{exec_path} {
         member={SetWallMessage,ScheduleShutdown}
         peer=(name=org.freedesktop.login1, label=systemd-logind),

+  dbus send bus=system path=/org/freedesktop/timedate1
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.timedate1, label=unconfined),
+
  @{exec_path} mrix,

  @{bin}/adduser                  rPx,
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@ -45,7 +45,8 @@ profile ssh @{exec_path} {

  audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl,

-  owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{hex16},
+  owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},
+  owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},
  owner @{run}/user/@{uid}/keyring/ssh rw,

  owner @{PROC}/@{pid}/loginuid r,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -62,12 +62,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mrix,

-  @{bin}/@{shells}            rUx,
-  @{bin}/false                rix,
-  @{bin}/nologin              rPx,
-  @{bin}/passwd               rPx,
-  @{lib}/openssh/sftp-server  rPx,
-  @{lib}/ssh/sshd-session     rix,
+  @{bin}/@{shells}                  rUx,
+  @{bin}/false                      rix,
+  @{bin}/nologin                    rPx,
+  @{bin}/passwd                     rPx,
+  @{lib}/{openssh,ssh}/sftp-server  rPx,
+  @{lib}/{openssh,ssh}/sshd-session rix,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*.conf} r,
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -39,6 +39,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
  /etc/systemd/coredump.conf r,
  /etc/systemd/coredump.conf.d/{,**} r,

+  owner @{HOME}/**.so r,
+
  /var/lib/systemd/coredump/{,**} rwl,

        @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/groups/systemd/systemd-update-utmp
+++ b/apparmor.d/groups/systemd/systemd-update-utmp
@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

-  unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/,
+  unix bind type=stream addr=@@{udbus}/bus/systemd-update-/,

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-vconsole-setup
+++ b/apparmor.d/groups/systemd/systemd-vconsole-setup
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{lib}/systemd/systemd-vconsole-setup
-profile systemd-vconsole-setup @{exec_path} {
+profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/ubuntu/release-upgrade-motd
+++ b/apparmor.d/groups/ubuntu/release-upgrade-motd
@ -22,6 +22,8 @@ profile release-upgrade-motd @{exec_path} {

  /var/lib/ubuntu-release-upgrader/release-upgrade-available rw,

+  @{run}/motd.dynamic.new w,
+
  /dev/tty@{int} rw,

  include if exists <local/release-upgrade-motd>
--- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
+++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
@ -25,6 +25,8 @@ profile update-motd-fsck-at-reboot @{exec_path} {

  /var/lib/update-notifier/fsck-at-reboot rw,

+  @{run}/motd.dynamic.new w,
+
  @{PROC}/uptime r,

  /dev/tty@{int} rw,
--- a/apparmor.d/groups/utils/login
+++ b/apparmor.d/groups/utils/login
@ -62,7 +62,6 @@ profile login @{exec_path} flags=(attach_disconnected) {
  @{att}/@{run}/systemd/sessions/@{int}.ref w,

  @{run}/credentials/getty@tty@{int}.service/ r,
-  @{run}/dbus/system_bus_socket rw,
  @{run}/faillock/@{user} rwk,
  @{run}/motd.d/{,*} r,
  @{run}/motd.dynamic{,.new} rw,
--- a/apparmor.d/groups/utils/uname
+++ b/apparmor.d/groups/utils/uname
@ -14,6 +14,9 @@ profile uname @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  @{lib}/@{multiarch}/ld-linux-*so* r,
+  @{lib}/@{multiarch}/libc.so* mr,
+
  @{att}/dev/tty@{int} rw,

  deny network,
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -21,6 +21,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  capability kill,
  capability mknod,
  capability net_admin,
+  capability net_raw,
  capability setfcap,
  capability sys_admin,
  capability sys_chroot,
@ -31,6 +32,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,
+  network packet dgram,

  mount                        /tmp/containerd-mount@{int}/,
  mount                        /var/lib/docker/**/,
@ -91,6 +93,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  owner @{run}/docker/** rwlk,
  owner @{run}/docker.pid rw,

+  @{sys}/devices/virtual/net/** r,
  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/cpuset.cpus.effective r,
  @{sys}/fs/cgroup/cpuset.mems.effective r,
--- a/apparmor.d/profiles-a-f/console-setup
+++ b/apparmor.d/profiles-a-f/console-setup
@ -15,6 +15,7 @@ profile console-setup @{exec_path} {
  @{bin}/uname rPx,
  @{bin}/mkdir rix,

+  @{run}/console-setup/ rw,
  @{run}/console-setup/boot_completed w,

  include if exists <local/console-setup>
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@ -47,6 +47,7 @@ profile file-roller @{exec_path} {
  @{run}/mount/utab r,

  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,

  include if exists <local/file-roller>
 }
--- a/apparmor.d/profiles-a-f/fractal
+++ b/apparmor.d/profiles-a-f/fractal
@ -33,6 +33,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) {

  owner @{tmp}/.@{rand6} rw,
  owner @{tmp}/.goutputstream-@{rand6} rw,
+  owner @{tmp}/@{rand6} rw,
+  owner @{tmp}/etilqs_@{hex16} rw,

  owner @{run}/user/@{uid}/fractal/{,**} rw,

--- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
@ -32,6 +32,8 @@ profile landscape-sysinfo.wrapper @{exec_path} {

  /var/lib/landscape/landscape-sysinfo.cache rw,

+  @{run}/motd.dynamic.new w,
+
  @{PROC}/loadavg r,

  /dev/tty@{int} rw,
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -154,6 +154,8 @@ profile run-parts @{exec_path} {

  owner @{sys}/class/power_supply/            r,

+  @{run}/motd.dynamic.new w,
+
  /dev/tty@{int} rw,

  profile motd {
--- a/apparmor.d/profiles-s-z/tlp
+++ b/apparmor.d/profiles-s-z/tlp
@ -44,6 +44,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
  @{bin}/mktemp                 rix,
  @{bin}/readlink               rix,
  @{bin}/rm                     rix,
+  @{bin}/sed                    rix,
  @{bin}/sort                   rix,
  @{bin}/systemctl              rCx -> systemctl,
  @{bin}/touch                  rix,
@ -71,7 +72,9 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/+platform:* r,

  @{sys}/bus/pci/devices/ r,
+  @{sys}/devices/@{pci}/ r,
  @{sys}/devices/@{pci}/{,**/}power/control w,
+  @{sys}/devices/@{pci}/class r,
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw,
  @{sys}/firmware/acpi/platform_profile* rw,
  @{sys}/firmware/acpi/pm_profile* rw,