feat(profile): update unattended upgrade profiles.

2025-05-18 20:34:05 +02:00 · 2025-05-18 20:34:05 +02:00 · 41c38b7645
commit 41c38b7645
parent 033807c6cd
3 changed files with 37 additions and 33 deletions
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -32,7 +32,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

-  signal (send) peer=apt-methods-http,
+  signal send peer=apt-methods-http,

  unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,

@ -41,26 +41,29 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  @{bin}/ r,

  @{sh_path}                      rix,
-  @{bin}/echo                     rix,
-  @{bin}/gdbus                    rix,
-  @{bin}/ischroot                 rix,
  @{python_path}                  rix,
-  @{bin}/test                     rix,
-  @{bin}/touch                    rix,
-  @{bin}/uname                    rix,
+  @{bin}/echo                      ix,
+  @{bin}/gdbus                     ix,
+  @{bin}/md5sum                    ix,
+  @{bin}/tar                       ix,
+  @{bin}/test                      ix,
+  @{bin}/touch                     ix,
+  @{bin}/uname                     ix,

-  @{bin}/apt-listchanges          rPx,
-  @{bin}/dpkg                     rPx,
-  @{bin}/dpkg-divert              rPx,
-  @{sbin}/dpkg-preconfigure       rPx,
-  @{bin}/etckeeper                rPx,
-  @{bin}/lsb_release              rPx -> lsb_release,
-  @{sbin}/on_ac_power             rPx,
-  @{sbin}/sendmail               rPUx,
-  @{lib}/apt/methods/http{,s}     rPx,
-  @{lib}/needrestart/apt-pinvoke  rPx,
-  @{lib}/update-notifier/update-motd-updates-available rPx,
-  @{lib}/zsys-system-autosnapshot rPx,
+  @{bin}/dpkg-deb                  px,
+  @{bin}/apt-listchanges           Px,
+  @{bin}/dpkg                      Px,
+  @{bin}/dpkg-divert               Px,
+  @{bin}/etckeeper                 Px,
+  @{bin}/ischroot                  Px,
+  @{bin}/lsb_release               Px -> lsb_release,
+  @{sbin}/dpkg-preconfigure        Px,
+  @{sbin}/on_ac_power              Px,
+  @{sbin}/sendmail                 Px,
+  @{lib}/apt/methods/http{,s}      Px,
+  @{lib}/needrestart/apt-pinvoke   Px,
+  @{lib}/update-notifier/update-motd-updates-available Px,
+  @{lib}/zsys-system-autosnapshot  Px,

  /usr/share/distro-info/* r,

@ -70,8 +73,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/debian_version r,
-  /etc/default/apport r,
-  /etc/default/grub.d/* r,
+  /etc/default/{,**} r,
  /etc/dpkg/origins/{,debian,ubuntu} r,
  /etc/fwupd/{,**} r,
  /etc/grub.d/* r,
@ -85,9 +87,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /etc/pki/fwupd-metadata/{,**} r,
  /etc/pki/fwupd/{,**} r,
  /etc/profile.d/* r,
+  /etc/ssh/moduli r,
+  /etc/ssh/ssh_config r,
+  /etc/ufw/{,**} r,
  /etc/update-manager/{,**} r,
-  /etc/update-motd.d/* r,
-  /etc/vmware-tools/* r,
+  /etc/update-motd.d/{,**} r,
+  /etc/vim/{,**} r,
+  /etc/vmware-tools/{,**} r,

  /var/log/unattended-upgrades/{,**} rw,
  /var/crash/*.crash w,
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@ -12,15 +12,15 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/common/apt>
  include <abstractions/nameservice-strict>
  include <abstractions/python>

  @{exec_path} mr,

-  @{bin}/ischroot  rix,
+  @{bin}/ischroot  Px,

  /usr/share/unattended-upgrades/{,*} r,
-  /etc/apt/apt.conf.d/{,*} r,

  owner /var/log/unattended-upgrades/*.log* rw,

--- a/apparmor.d/groups/apt/update-apt-xapian-index
+++ b/apparmor.d/groups/apt/update-apt-xapian-index
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/update-apt-xapian-index
 profile update-apt-xapian-index @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/common/apt>
  include <abstractions/python>

@ -17,10 +18,13 @@ profile update-apt-xapian-index @{exec_path} {
  @{python_path} r,

  @{bin}/ r,
-  @{bin}/dpkg rPx -> child-dpkg,
+  @{bin}/dpkg  Px -> child-dpkg,

  /usr/share/apt-xapian-index/{,**} r,

+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
  /var/cache/apt-xapian-index/ rw,
  /var/cache/apt-xapian-index/** rwk,

@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} {
  /var/cache/apt/ r,
  /var/cache/apt/** rwk,

-  owner @{PROC}/@{pid}/fd/ r,
-
  /var/lib/debtags/package-tags r,

-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
+  owner @{PROC}/@{pid}/fd/ r,

  include if exists <local/update-apt-xapian-index>
 }