polishing

2022-05-28 00:47:21 +03:00 · 2022-05-28 00:47:21 +03:00 · 4a76a69632
commit 4a76a69632
parent 9dab6b9794
6 changed files with 64 additions and 27 deletions
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@ -18,20 +18,46 @@ profile login @{exec_path} {
  capability fsetid,
  capability setgid,
  capability setuid,
+  capability sys_resource,
+  capability audit_write,
+  capability dac_read_search,
+#  capability net_admin,
+
+#  network netlink raw,

  @{exec_path} mr,

  /{usr/,}bin/{,z,ba,da}sh  rUx,

  /etc/environment r,
+  /etc/motd r,
+  /etc/legal r,
+  /etc/default/locale r,
+  /etc/security/pam_env.conf r,
+  /etc/security/group.conf r,
+  /etc/security/limits.conf r,
+  /etc/security/limits.d/{,*} r,

  /var/log/btmp{,.[0-9]*} r,

  @{run}/faillock/root rwk,
  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.DynamicUser rw,
+  @{run}/dbus/system_bus_socket rw,
+  @{run}/motd.dynamic{,.new} rw,
+  @{run}/systemd/sessions/*.ref rw,

-  @{PROC}/@{pid}/loginuid rw,
-  @{PROC}/@{pid}/uid_map r,
+  owner @{PROC}/@{pid}/uid_map r,
+  owner @{PROC}/@{pid}/loginuid rw,
+        @{PROC}/1/limits r,
+
+  owner @{user_cache_dirs}/motd.legal-displayed rw,
+
+  dbus send
+    bus="system" path="/org/freedesktop/DBus"   interface="org.freedesktop.DBus" member="Hello" peer=(name="org.freedesktop.DBus"),
+
+  dbus send
+    bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.*" peer=(name="org.freedesktop.login1"),

  include if exists <local/login>
-}
+}
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -31,6 +31,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {

  /{usr/,}bin/{,ba,da}sh             rix,
  /{usr/,}bin/cat                    rix,
+  /{usr/,}bin/grep                   rix,
  /{usr/,}bin/kill                   rix,
  /{usr/,}bin/ls                     rix,
  /{usr/,}bin/gzip                   rix,
@ -39,6 +40,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
  /{usr/,}lib/rsyslog/rsyslog-rotate rix,
  /{usr/,}bin/fail2ban-client                rPx,
  /{usr/,}bin/systemd-tty-ask-password-agent rPx,
+  /{usr/,}bin/my_print_defaults              rPUx,

  # no new privs
  #/{usr/,}bin/systemctl              rCx -> systemctl,
@ -65,8 +67,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
  /var/lib/logrotate.status rwk,
  /var/lib/logrotate.status.tmp rw,

-  /var/log/   r,
-  /var/log/** rw,
+  /var/log{,.hdd}/   r,
+  /var/log{,.hdd}/** rw,

  # Needed to remove the following error:
  #  logrotate[]: error: could not change directory to '.'