update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2021-12-08 12:59:46 +01:00 · 2021-12-08 12:59:46 +01:00 · 3430e3df90
commit 3430e3df90
parent 44aca3ba51
56 changed files with 146 additions and 45 deletions
--- a/apparmor.d/groups/apt/apt-show-versions
+++ b/apparmor.d/groups/apt/apt-show-versions
@ -15,8 +15,13 @@ profile apt-show-versions @{exec_path} {

  @{exec_path} r,
  /{usr/,}bin/perl r,
+  /{usr/,}bin/{,ba,da}sh rix,

-  /usr/bin/dpkg rPx -> child-dpkg,
+  /{usr/,}bin/dpkg       rPx -> child-dpkg,
+  /{usr/,}bin/apt-get    rPx,
+
+  # apt-helper gets "no new privs" so "rix" it
+  /{usr/,}lib/apt/apt-helper rix,

  owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
  owner /var/cache/apt-show-versions/files rw,
--- a/apparmor.d/groups/apt/cron-popularity-contest
+++ b/apparmor.d/groups/apt/cron-popularity-contest
@ -46,6 +46,7 @@ profile cron-popularity-contest @{exec_path} {
  /var/log/ r,
  /var/log/popularity-contest{,.new} rw,
  /var/log/popularity-contest{,.new}.gpg rw,
+  /var/log/popularity-contest.[0-9]* rw,

  # Store last successful http submission timestamp
  /var/lib/popularity-contest/ rw,
@ -118,6 +119,8 @@ profile cron-popularity-contest @{exec_path} {

    /var/log/popularity-contest.new r,
    /var/log/popularity-contest.new.gpg rw,
+    /var/log/popularity-contest.[0-9]* r,
+    /var/log/popularity-contest.[0-9]*.gpg rw,

    owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**,

@ -144,6 +147,7 @@ profile cron-popularity-contest @{exec_path} {

    /var/log/ r,
    /var/log/popularity-contest.new.gpg r,
+    /var/log/popularity-contest.[0-9]*.gpg r,

    # file_inherit
    owner /tmp/#[0-9]*[0-9] rw,
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -71,11 +71,14 @@ profile dpkg @{exec_path} {
  /etc/dpkg/dpkg.cfg r,

  owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/sys/kernel/random/boot_id r,

  owner /tmp/apt-dpkg-install-*/ r,

  /var/log/dpkg.log w,

+  @{run}/systemd/userdb/ r,
+
  # For shell pwd
  /root/ r,

@ -103,9 +106,15 @@ profile dpkg @{exec_path} {
  /var/local/**  rwl -> /var/local/**,
  /var/spool/    r,
  /var/spool/**  rwl -> /var/spool/**,
+  # Fixme when more transitions will be available (#FIXME#)
+  /var/www/      r,
+  /var/www/**    rwl,
  # To create log and cache dirs
  /var/log/**/   rw,
  /var/cache/**/ rw,
+  # To create dirs under var
+  /var/*.dpkg-new/ rw,
+  /var/*/ rw,

  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/apt/dpkg-deb
+++ b/apparmor.d/groups/apt/dpkg-deb
@ -14,6 +14,9 @@ profile dpkg-deb @{exec_path} {

  #capability sys_tty_config,

+  # For "mk-build-deps -i"
+  capability dac_override,
+
  @{exec_path} mr,

  /{usr/,}bin/tar rix,
--- a/apparmor.d/groups/apt/dpkg-genbuildinfo
+++ b/apparmor.d/groups/apt/dpkg-genbuildinfo
@ -11,6 +11,9 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/perl>

+  # For "mk-build-deps -i"
+  capability dac_override,
+
  @{exec_path} r,
  /{usr/,}bin/perl r,

--- a/apparmor.d/groups/apt/dpkg-trigger
+++ b/apparmor.d/groups/apt/dpkg-trigger
@ -16,7 +16,7 @@ profile dpkg-trigger @{exec_path} {
  /var/lib/dpkg/triggers/Lock rwk,

  /var/lib/dpkg/triggers/ r,
-  /var/lib/dpkg/triggers/Unincorp{,.new} rw,
+  /var/lib/dpkg/triggers/* rw,

  include if exists <local/dpkg-trigger>
 }