From 47b6e3c616f8b57575436bfc09e57d424cea0fac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 9 Mar 2025 23:04:32 +0100 Subject: [PATCH] feat(profile): various core update. --- apparmor.d/groups/filesystem/mke2fs | 2 ++ apparmor.d/groups/firewall/firewalld | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/procps/w | 2 +- apparmor.d/groups/systemd/systemd-cryptsetup | 2 ++ apparmor.d/groups/systemd/systemd-generator-ds-identify | 1 + apparmor.d/groups/systemd/systemd-modules-load | 2 +- apparmor.d/groups/systemd/systemd-remount-fs | 4 ++-- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 9 +++++---- apparmor.d/groups/systemd/zram-generator | 4 ++-- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 -- apparmor.d/groups/utils/agetty | 2 ++ apparmor.d/groups/utils/login | 4 ++-- apparmor.d/groups/utils/su | 6 +++--- apparmor.d/groups/utils/uname | 3 --- apparmor.d/profiles-a-f/blkdeactivate | 2 ++ apparmor.d/profiles-s-z/YACReader | 2 ++ 18 files changed, 30 insertions(+), 21 deletions(-) diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index acf88197f..56a223bdd 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -34,6 +34,8 @@ profile mke2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + owner @{tmp}/.guestfs-@{uid}/appliance.d.@{rand8}/@{user} rw, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 6d84dfe47..003089ca4 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -30,6 +30,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 @{exec_path} mr, + @{python_path} r, @{bin}/ r, @{bin}/alts rix, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index c720929f3..5e1079802 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -28,6 +28,7 @@ profile htop @{exec_path} { @{exec_path} mr, @{bin}/lsof rix, + @{bin}/strace rix, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/procps/w b/apparmor.d/groups/procps/w index b23a7bc23..2445034e9 100644 --- a/apparmor.d/groups/procps/w +++ b/apparmor.d/groups/procps/w @@ -16,7 +16,7 @@ profile w @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index 090412ff5..fdddebe03 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -31,6 +31,8 @@ profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, + @{run}/systemd/ask-password/ r, + @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 6b42e55ed..d9a6639c1 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -18,6 +18,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/blkid rPx, + @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index d3527c22b..cc44f385f 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-modules-load -profile systemd-modules-load @{exec_path} { +profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 8c63a1d5a..4231f7e7b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-remount-fs -profile systemd-remount-fs @{exec_path} { +profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { include include include @@ -17,7 +17,7 @@ profile systemd-remount-fs @{exec_path} { capability sys_resource, mount options=(rw, remount) -> /, - mount options=(rw, remount) -> /proc/, + mount options=(rw, remount) -> @{PROC}/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index ecac3e1a8..7ab8be35c 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, - signal (receive) set=(term cont) peer=*//systemctl, - signal (receive) set=(term cont) peer=default, - signal (receive) set=(term cont) peer=logrotate, - signal (receive) set=(term cont) peer=rpm, + signal receive set=(term cont) peer=*//systemctl, + signal receive set=(term cont) peer=default, + signal receive set=(term cont) peer=logrotate, + signal receive set=(term cont) peer=role_*, + signal receive set=(term cont) peer=rpm, @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index f6406811d..d156d88a4 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -27,8 +27,8 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw, owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw, - @{sys}/block/zram@{int}/{disksize,reset} rw, - @{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw, + @{sys}/block/zram@{int}/* rw, + @{sys}/devices/virtual/block/zram@{int}/* rw, @{sys}/module/compression r, @{PROC}/crypto r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2dcf50743..2edc09970 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -22,7 +22,7 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/apt-esm/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, - @{run}/cloud-init/cloud-id-nocloud r, + @{run}/cloud-init/cloud-id-* r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index d540ed0e8..8d1571c1e 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -87,8 +87,6 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system, - dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnitFileState diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/groups/utils/agetty index 4605822e7..3eca54abc 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/groups/utils/agetty @@ -20,6 +20,8 @@ profile agetty @{exec_path} { network netlink raw, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{bin}/login rPx, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index c04c4230c..6968be40e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -30,7 +30,7 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) set=(hup term), + signal send set=(hup term), ptrace read, @@ -38,7 +38,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/@{shells} rUx, + @{shells_path} rUx, @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 2615085ab..aec037e84 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -15,9 +15,9 @@ profile su @{exec_path} { capability chown, # pseudo-terminal - signal (send) set=(term,kill), - signal (receive) set=(int,quit,term), - signal (receive) set=(cont,hup) peer=sudo, + signal send set=(term kill), + signal receive set=(int quit term), + signal receive set=(cont hup) peer=sudo, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/groups/utils/uname index 6ca8a6370..45a864c23 100644 --- a/apparmor.d/groups/utils/uname +++ b/apparmor.d/groups/utils/uname @@ -14,9 +14,6 @@ profile uname @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib}/@{multiarch}/ld-linux-*so* r, - @{lib}/@{multiarch}/libc.so* mr, - @{att}/dev/tty@{int} rw, deny network, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index ad575351f..2cabb639f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -14,8 +14,10 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, + @{sh_path} rix, @{bin}/dmsetup rPUx, @{bin}/grep rix, + @{bin}/touch rix, @{bin}/lsblk rPx, @{bin}/lvm rPx, @{bin}/multipathd rPx, diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index de55bf829..3552b6dc0 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -39,6 +39,8 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists }