diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 827e9fcf7..e1a9918e1 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -152,6 +152,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=system name=org.freedesktop.timesync1 @{bin}/** Px, + @{sbin}/** Px, @{lib}/** Px, /etc/cron.*/* Px, /etc/init.d/* Px, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index a81ef6d7c..77fe1f455 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -16,14 +16,19 @@ profile deb-systemd-helper @{exec_path} { @{bin}/systemctl rCx -> systemctl, - /var/lib/systemd/deb-systemd-helper-enabled/** rw, - /var/lib/systemd/deb-systemd-helper-masked/ rw, - /var/lib/systemd/deb-systemd-user-helper-enabled/** rw, + /etc/systemd/system/* w, + /etc/systemd/user/* w, + + /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, + /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, + /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, profile systemctl { include include + capability net_admin, + /etc/ r, /etc/systemd/ r, /etc/systemd/system/ r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index ee64c6497..4dec1d407 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -47,6 +47,7 @@ profile dbus-system flags=(attach_disconnected) { @{exec_path} mrix, @{bin}/** PUx, + @{sbin}/** PUx, @{lib}/** PUx, /usr/share/*/** PUx, diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index f9dcac8d1..1d81292fd 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/rpcbind +@{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 567c744b8..c2bc8b2b6 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,6 +59,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/** r, /var/lib/*/** r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /tmp/@{word10}/ rw, owner @{run}/sshd.pid r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index f6d40b0c5..8adb0f748 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -232,7 +232,7 @@ profile run-parts @{exec_path} { @{sbin}/dkms rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPUx, @{sbin}/update-initramfs rPx, @{lib}/dkms/dkms_autoinstaller rPx, diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index c4b30b884..8827bca14 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} { @{bin}/fuser rix, @{bin}/netstat rix, @{bin}/sed rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 855db3f4b..cc95a17f9 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -17,7 +17,9 @@ profile which @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ r, + @{sbin}/ r, @{bin}/**/ r, + @{sbin}/**/ r, @{lib}/ r, @{lib}/**/ r, /opt/**/bin/ r,