feat(profile): update some core profiles.

2024-11-12 20:42:31 +00:00 · 2024-11-12 20:42:31 +00:00 · 4108d6a987
commit 4108d6a987
parent cf2998b7bd
11 changed files with 33 additions and 7 deletions
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -53,6 +53,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
        /var/lib/polkit{,-1}/localauthority/{,**} r,
  owner /var/lib/polkit{,-1}/.cache/ rw,

+  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+
  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,

--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/upower
 profile upower @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>

  # Needed?
  audit capability sys_nice,
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -43,6 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/flatpak/db/ rw,
  owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/flatpak/db/background rw,
+  owner @{user_share_dirs}/flatpak/db/desktop-used-apps r,
  owner @{user_share_dirs}/flatpak/db/devices rw,
  owner @{user_share_dirs}/flatpak/db/documents rw,
  owner @{user_share_dirs}/flatpak/db/notifications rw,
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -49,6 +49,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {

    capability net_admin,

+    @{att}/@{run}/systemd/private rw,
+
    include if exists <local/netplan.script_systemctl>
  }

--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@ -22,9 +22,7 @@ profile apport @{exec_path} flags=(attach_disconnected) {
  capability setuid,
  capability sys_ptrace,

-  ptrace (read) peer=gnome-shell,
-  ptrace (read) peer=snap.cups.cupsd,
-  ptrace (read) peer=tracker-extract,
+  ptrace read,

  @{exec_path} mr,

@ -36,6 +34,10 @@ profile apport @{exec_path} flags=(attach_disconnected) {
  /usr/share/apport/{,**} r,

  /etc/apport/report-ignore/{,**} r,
+  /etc/login.defs r,
+
+  /var/lib/dpkg/info/ r,
+  /var/lib/dpkg/info/*.list r,

        /var/crash/ rw,
        /var/crash/*.@{uid}.crash rw,
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -83,6 +83,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  @{run}/docker/containerd/{,**} rwk,
  @{run}/netns/ w,
  @{run}/netns/cni-@{uuid} rw,
+  @{run}/nri/ w,
+  @{run}/nri/nri.sock rw,
  @{run}/systemd/notify w,

        /tmp/cri-containerd.apparmor.d@{int} rwl,
@ -94,12 +96,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  @{sys}/kernel/security/apparmor/profiles r,
  @{sys}/module/apparmor/parameters/enabled r,

+        @{PROC}/@{pid}/task/@{tid}/mountinfo r,
        @{PROC}/@{pid}/task/@{tid}/ns/net rw,
        @{PROC}/sys/net/core/somaxconn r,
-  owner @{PROC}/@{pids}/attr/current r,
-  owner @{PROC}/@{pids}/cgroup r,
-  owner @{PROC}/@{pids}/mountinfo r,
-  owner @{PROC}/@{pids}/uid_map r,
+  owner @{PROC}/@{pid}/attr/current r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/uid_map r,

  /dev/bsg/ r,
  /dev/bus/ r,