fix(profile): small improvment raised by the tests.

2025-05-01 18:48:31 +02:00 · 2025-05-01 18:48:31 +02:00 · 45d7cf48c4
commit 45d7cf48c4
parent 3a568ba307
8 changed files with 17 additions and 6 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -152,6 +152,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  #aa:dbus own bus=system name=org.freedesktop.timesync1

  @{bin}/**                         Px,
+  @{sbin}/**                        Px,
  @{lib}/**                         Px,
  /etc/cron.*/*                     Px,
  /etc/init.d/*                     Px,
--- a/apparmor.d/groups/apt/deb-systemd-helper
+++ b/apparmor.d/groups/apt/deb-systemd-helper
@ -16,14 +16,19 @@ profile deb-systemd-helper @{exec_path} {

  @{bin}/systemctl rCx -> systemctl,

-  /var/lib/systemd/deb-systemd-helper-enabled/** rw,
-  /var/lib/systemd/deb-systemd-helper-masked/ rw,
-  /var/lib/systemd/deb-systemd-user-helper-enabled/** rw,
+  /etc/systemd/system/* w,
+  /etc/systemd/user/* w,
+
+  /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw,
+  /var/lib/systemd/deb-systemd-helper-masked/{,**} rw,
+  /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw,

  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>

+    capability net_admin,
+
    /etc/ r,
    /etc/systemd/ r,
    /etc/systemd/system/ r,
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -47,6 +47,7 @@ profile dbus-system flags=(attach_disconnected) {
  @{exec_path} mrix,

  @{bin}/**                   PUx,
+  @{sbin}/**                  PUx,
  @{lib}/**                   PUx,
  /usr/share/*/**             PUx,

--- a/apparmor.d/groups/network/rpcbind
+++ b/apparmor.d/groups/network/rpcbind
@ -6,7 +6,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/rpcbind
+@{exec_path} = @{sbin}/rpcbind
 profile rpcbind @{exec_path} flags=(complain) {
  include <abstractions/base>

--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@ -59,6 +59,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
  /usr/share/** r,
  /var/lib/*/** r,

+  owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
+
  /tmp/@{word10}/ rw,

  owner @{run}/sshd.pid r,
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -232,7 +232,7 @@ profile run-parts @{exec_path} {
    @{sbin}/dkms                    rPx,
    @{bin}/dpkg                     rPx -> child-dpkg,
    @{bin}/systemd-detect-virt      rPx,
-    @{bin}/update-alternatives      rPx,
+    @{sbin}/update-alternatives     rPx,
    @{sbin}/update-grub             rPUx,
    @{sbin}/update-initramfs        rPx,
    @{lib}/dkms/dkms_autoinstaller  rPx,
--- a/apparmor.d/profiles-s-z/unhide-tcp
+++ b/apparmor.d/profiles-s-z/unhide-tcp
@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} {
  @{bin}/fuser      rix,
  @{bin}/netstat    rix,
  @{bin}/sed        rix,
-  @{bin}/ss         rix,
+  @{sbin}/ss        rix,

  @{PROC}/@{pids}/net/tcp{,6} r,
  @{PROC}/@{pids}/net/udp{,6} r,
--- a/apparmor.d/profiles-s-z/which
+++ b/apparmor.d/profiles-s-z/which
@ -17,7 +17,9 @@ profile which @{exec_path} flags=(attach_disconnected) {
  @{sh_path}         rix,

  @{bin}/ r,
+  @{sbin}/ r,
  @{bin}/**/ r,
+  @{sbin}/**/ r,
  @{lib}/ r,
  @{lib}/**/ r,
  /opt/**/bin/ r,