diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e60630efa..9254be27d 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -169,7 +169,7 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index d60668c03..1d88c829b 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -10,42 +10,12 @@ include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{bin}/apt-get rPx, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/debconf-apt-progress rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend new file mode 100644 index 000000000..5ec13fcff --- /dev/null +++ b/apparmor.d/groups/apt/debconf-frontend @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile debconf-frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/hostname ix, + @{bin}/locale ix, + @{bin}/lsb_release Px -> lsb_release, + @{bin}/stty ix, + @{sbin}/update-secureboot-policy Px, + + # debconf apps + @{bin}/adequate Px, + @{bin}/debconf-apt-progress Px, + @{bin}/linux-check-removal Px, + @{bin}/ucf Px, + @{bin}/whiptail Px, + @{sbin}/aspell-autobuildhash Px, + @{sbin}/pam-auth-update Px, + @{lib}/tasksel/tasksel-debconf Px -> tasksel, + /usr/share/debian-security-support/check-support-status.hook Px, + + # Grub + @{lib}/grub/grub-multi-install Px, + /usr/share/grub/grub-check-signatures Px, + + # Package maintainer's scripts + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + + # DKMS scipts + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /usr/share/debconf/{,**} r, + + /etc/inputrc r, + /etc/shadow r, + + owner /var/cache/debconf/* rwk, + + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 5dba3d3cb..9de0ce0b4 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 8b2470a6c..52c74c192 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/linux* profile dpkg-script-linux @{exec_path} { include - include + include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index ccaa62a30..cb652108d 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index dcb6ca379..32063f5c5 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/** profile dpkg-scripts @{exec_path} { include - include + include include capability chown, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index d33b33265..310138595 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -9,18 +9,14 @@ include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}//mktemp rix, - @{bin}//od rix, - - /usr/share/debconf/frontend rPx, - - /usr/share/debconf/confmodule r, + @{bin}/mktemp rix, + @{bin}/od rix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index d147b94fb..ba7956438 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -24,7 +24,7 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rPx, + /usr/share/debconf/frontend rix, /usr/lib/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend deleted file mode 100644 index 6d9502220..000000000 --- a/apparmor.d/profiles-a-f/frontend +++ /dev/null @@ -1,133 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/hostname rix, - @{bin}/locale rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/stty rix, - @{sbin}/update-secureboot-policy rPx, - - # debconf apps - @{bin}/adequate rPx, - @{sbin}/aspell-autobuildhash rPx, - @{bin}/debconf-apt-progress rPx, - @{bin}/linux-check-removal rPx, - @{sbin}/pam-auth-update rPx, - @{bin}/ucf rPx, - @{bin}/whiptail rPx, - @{lib}/tasksel/tasksel-debconf rPx -> tasksel, - /usr/share/debian-security-support/check-support-status.hook rPx, - - # Grub - @{lib}/grub/grub-multi-install rPx, - /usr/share/grub/grub-check-signatures rPx, - - # Run the package maintainer's scripts - # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) - #/var/lib/dpkg/info/*.{config,templates} rPUx, - #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, - #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/info/*.control r, - #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/control r, - /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - - # DKMS scipts - # What to do with it? (#FIXME#) - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /usr/share/debconf/{,**} r, - - /etc/debconf.conf r, - /etc/inputrc r, - /etc/shadow r, - - owner /var/cache/debconf/* rwk, - - owner @{tmp}/file* w, - owner @{tmp}/tmp.@{rand10} rw, - owner @{tmp}/updateppds.@{rand6} rw, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - profile scripts flags=(complain) { - include - include - - capability dac_read_search, - - /var/lib/dpkg/info/*.config r, - /var/lib/dpkg/info/*.{preinst,postinst} r, - /var/lib/dpkg/info/*.{prerm,postrm} r, - /var/lib/dpkg/tmp.ci/config r, - /var/lib/dpkg/tmp.ci/{preinst,postinst} r, - /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - - / r, - - @{bin}/ r, - @{bin}/* rPUx, - - @{lib}/ r, - @{lib}/** rPUx, - - /usr/share/ r, - /usr/share/** rPUx, - - /etc/init.d/ r, - /etc/init.d/* rPUx, - - /etc/ r, - /etc/** rw, - /var/ r, - /var/** rw, - @{sys}/ r, - @{sys}/**/ r, - @{run}/ r, - @{run}/** rw, - /tmp/ r, - owner @{tmp}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 64b3ed4ad..f4900f225 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -10,32 +10,24 @@ include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{sh_path} rix, @{bin}/tempfile rix, @{lib}/tasksel/tasksel-debconf rix, - - @{lib}/tasksel/tests/* rCx -> tasksel-tests, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/apt-cache rPx, + @{bin}/apt-cache Px, + @{bin}/debconf-apt-progress Px, - @{bin}/debconf-apt-progress rPx, - - /usr/share/tasksel/** r, - - /usr/share/debconf/confmodule r, + /usr/share/tasksel/{,**} r, owner @{tmp}/file* w, @@ -48,35 +40,6 @@ profile tasksel @{exec_path} flags=(complain) { include if exists } - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/tasksel rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 232c92d0c..f8581f532 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -10,7 +10,7 @@ include @{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, @@ -23,12 +23,9 @@ profile update-secureboot-policy @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/wc rix, - /usr/share/debconf/frontend rPx, / r, - /usr/share/debconf/confmodule r, - /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw,