update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2022-04-24 11:52:42 +02:00 · 2022-04-24 11:52:42 +02:00 · 35a281d045
commit 35a281d045
parent 85e7f58d3c
28 changed files with 147 additions and 38 deletions
--- a/apparmor.d/groups/apt/apt-forktracer
+++ b/apparmor.d/groups/apt/apt-forktracer
@ -1,13 +1,6 @@
-# vim:syntax=apparmor
-# ------------------------------------------------------------------
-#
-#    Copyright (C) 2021 Mikhail Morfikov
-#
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

@ -22,7 +15,8 @@ profile apt-forktracer @{exec_path} {
  @{exec_path} mr,

  /{usr/,}bin/ r,
-  /{usr/,}bin/dpkg rPx -> child-dpkg,
+  /{usr/,}bin/dpkg      rPx -> child-dpkg,
+  /{usr/,}bin/apt-cache rPx,

  /usr/share/apt-forktracer/{,**} r,

@ -38,5 +32,8 @@ profile apt-forktracer @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

+  /etc/dpkg/origins/debian r,
+  /etc/debian_version r,
+
  include if exists <local/apt-forktracer>
 }
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@ -35,6 +35,7 @@ profile apt-methods-gpgv @{exec_path} {
  /{usr/,}bin/find              rix,
  /{usr/,}bin/gpgv              rix,

+  /{usr/,}bin/head      rix,
  /{usr/,}bin/cat       rix,
  /{usr/,}bin/chmod     rix,
  /{usr/,}bin/cmp       rix,
@ -79,8 +80,8 @@ profile apt-methods-gpgv @{exec_path} {
  @{PROC}/@{pid}/fd/ r,

  # Local keyring storage
-  /etc/keyrings/ r,
-  /etc/keyrings/*.{gpg,asc} r,
+  /etc/apt/keyrings/ r,
+  /etc/apt/keyrings/*.{gpg,asc} r,

  # Extrepo keyring storage
  /var/lib/extrepo/keys/*.{gpg,asc} r,
--- a/apparmor.d/groups/apt/debsums
+++ b/apparmor.d/groups/apt/debsums
@ -46,6 +46,7 @@ profile debsums @{exec_path} {
  /var/lib/{,**} r,
  /opt/{,**} r,
  /boot/{,**} r,
+  /lib*/{,**} r,

  include if exists <local/debsums>
 }
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -89,6 +89,9 @@ profile dpkg @{exec_path} {
  /usr/**  rwl -> /usr/**,
  /lib/    r,
  /lib/**  rwl -> /lib/** ,
+  # Fixme when more transitions will be available (#FIXME#)
+  /lib{,32,64,x64}/ r,
+  /lib{,32,64,x64}/** rwl,
  /bin/    r,
  /bin/*   rwl -> /bin/*,
  /sbin/   r,
--- a/apparmor.d/groups/apt/querybts
+++ b/apparmor.d/groups/apt/querybts
@ -52,6 +52,9 @@ profile querybts @{exec_path} {

  /etc/fstab r,

+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
  # Allowed apps to open
  /{usr/,}lib/firefox/firefox rPUx,

--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -93,6 +93,8 @@ profile reportbug @{exec_path} {

  @{sys}/module/apparmor/parameters/enabled r,

+  /dev/ptmx rw,
+
  owner     /tmp/reportbug-*-[0-9]*-@{pid}-* rw,
  owner     /tmp/* rw,
  owner /var/tmp/*.bug{,~} rw,