felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update unattended upgrade profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-18 20:34:05 +02:00
parent 033807c6cd
commit 41c38b7645
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
3 changed files with 37 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

52
apparmor.d/groups/apt/unattended-upgrade
View file

@ -32,7 +32,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
signal (send) peer=apt-methods-http, signal send peer=apt-methods-http,
unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
@ -41,26 +41,29 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{bin}/ r, @{bin}/ r,
@{sh_path} rix, @{sh_path} rix,
@{bin}/echo rix,
@{bin}/gdbus rix,
@{bin}/ischroot rix,
@{python_path} rix, @{python_path} rix,
@{bin}/test rix, @{bin}/echo ix,
@{bin}/touch rix, @{bin}/gdbus ix,
@{bin}/uname rix, @{bin}/md5sum ix,
@{bin}/tar ix,
@{bin}/test ix,
@{bin}/touch ix,
@{bin}/uname ix,
@{bin}/apt-listchanges rPx, @{bin}/dpkg-deb px,
@{bin}/dpkg rPx, @{bin}/apt-listchanges Px,
@{bin}/dpkg-divert rPx, @{bin}/dpkg Px,
@{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-divert Px,
@{bin}/etckeeper rPx, @{bin}/etckeeper Px,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/ischroot Px,
@{sbin}/on_ac_power rPx, @{bin}/lsb_release Px -> lsb_release,
@{sbin}/sendmail rPUx, @{sbin}/dpkg-preconfigure Px,
@{lib}/apt/methods/http{,s} rPx, @{sbin}/on_ac_power Px,
@{lib}/needrestart/apt-pinvoke rPx, @{sbin}/sendmail Px,
@{lib}/update-notifier/update-motd-updates-available rPx, @{lib}/apt/methods/http{,s} Px,
@{lib}/zsys-system-autosnapshot rPx, @{lib}/needrestart/apt-pinvoke Px,
@{lib}/update-notifier/update-motd-updates-available Px,
@{lib}/zsys-system-autosnapshot Px,
/usr/share/distro-info/* r, /usr/share/distro-info/* r,
@ -70,8 +73,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/apt/*.list r, /etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r, /etc/apt/apt.conf.d/{,**} r,
/etc/debian_version r, /etc/debian_version r,
/etc/default/apport r, /etc/default/{,**} r,
/etc/default/grub.d/* r,
/etc/dpkg/origins/{,debian,ubuntu} r, /etc/dpkg/origins/{,debian,ubuntu} r,
/etc/fwupd/{,**} r, /etc/fwupd/{,**} r,
/etc/grub.d/* r, /etc/grub.d/* r,
@ -85,9 +87,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd-metadata/{,**} r,
/etc/pki/fwupd/{,**} r, /etc/pki/fwupd/{,**} r,
/etc/profile.d/* r, /etc/profile.d/* r,
/etc/ssh/moduli r,
/etc/ssh/ssh_config r,
/etc/ufw/{,**} r,
/etc/update-manager/{,**} r, /etc/update-manager/{,**} r,
/etc/update-motd.d/* r, /etc/update-motd.d/{,**} r,
/etc/vmware-tools/* r, /etc/vim/{,**} r,
/etc/vmware-tools/{,**} r,
/var/log/unattended-upgrades/{,**} rw, /var/log/unattended-upgrades/{,**} rw,
/var/crash/*.crash w, /var/crash/*.crash w,

4
apparmor.d/groups/apt/unattended-upgrade-shutdown
View file

@ -12,15 +12,15 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
include <abstractions/bus-system> include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.login1> include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.NetworkManager> include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/common/apt>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
@{exec_path} mr, @{exec_path} mr,
@{bin}/ischroot rix, @{bin}/ischroot Px,
/usr/share/unattended-upgrades/{,*} r, /usr/share/unattended-upgrades/{,*} r,
/etc/apt/apt.conf.d/{,*} r,
owner /var/log/unattended-upgrades/*.log* rw, owner /var/log/unattended-upgrades/*.log* rw,

14
apparmor.d/groups/apt/update-apt-xapian-index
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/update-apt-xapian-index @{exec_path} = @{bin}/update-apt-xapian-index
profile update-apt-xapian-index @{exec_path} { profile update-apt-xapian-index @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/common/apt> include <abstractions/common/apt>
include <abstractions/python> include <abstractions/python>
@ -17,10 +18,13 @@ profile update-apt-xapian-index @{exec_path} {
@{python_path} r, @{python_path} r,
@{bin}/ r, @{bin}/ r,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg Px -> child-dpkg,
/usr/share/apt-xapian-index/{,**} r, /usr/share/apt-xapian-index/{,**} r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/ rw,
/var/cache/apt-xapian-index/** rwk, /var/cache/apt-xapian-index/** rwk,
@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} {
/var/cache/apt/ r, /var/cache/apt/ r,
/var/cache/apt/** rwk, /var/cache/apt/** rwk,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/debtags/package-tags r, /var/lib/debtags/package-tags r,
/var/lib/dbus/machine-id r, owner @{PROC}/@{pid}/fd/ r,
/etc/machine-id r,
# file_inherit
owner /dev/tty@{int} rw,
include if exists <local/update-apt-xapian-index> include if exists <local/update-apt-xapian-index>
} }