From 549c6ba2f5402878ad28fa68d1809d7505ef3a02 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 26 Sep 2024 20:34:12 +0100 Subject: [PATCH] feat(profile): ubuntu: improve integration with ubuntu. --- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/bus/ibus-x11 | 5 +++-- apparmor.d/groups/grub/grub-sort-version | 2 ++ .../groups/ubuntu/livepatch-notification | 9 +-------- apparmor.d/groups/ubuntu/pro | 20 ------------------- .../groups/ubuntu/software-properties-dbus | 6 +++--- .../ubuntu/ubuntu-advantage-notification | 7 +------ apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/ubuntu/update-notifier | 7 +++++++ apparmor.d/profiles-a-f/fstrim | 1 + apparmor.d/profiles-g-l/gtk-query-immodules | 1 + apparmor.d/profiles-g-l/logrotate | 16 +++------------ apparmor.d/profiles-m-r/mkinitramfs | 10 +++++++--- apparmor.d/profiles-s-z/setvtrgb | 2 ++ apparmor.d/profiles-s-z/snap | 5 ++++- apparmor.d/profiles-s-z/snap-seccomp | 2 ++ apparmor.d/profiles-s-z/ufw | 8 ++++---- 18 files changed, 44 insertions(+), 62 deletions(-) delete mode 100644 apparmor.d/groups/ubuntu/pro diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 7ebb4da0b..1acaa6aff 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -59,7 +59,7 @@ profile apt-systemd-daily @{exec_path} { /var/backups/ r, /var/backups/apt.extended_states rw, /var/backups/apt.extended_states.@{int} rw, - /var/backups/apt.extended_states.@{int}.gz w, + /var/backups/apt.extended_states.@{int}.gz rw, /var/cache/apt/ r, /var/cache/apt/archives/ r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index d57d3d42d..f94d95251 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -24,6 +24,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/{,g,m}awk rix, @{bin}/cat rix, @{bin}/dialog rix, + @{bin}/expr rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/sort rix, diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 44bb611fe..066adc056 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -17,14 +17,15 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include - unix (connect, receive, send) type=stream peer=(label=ibus-daemon), - network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + # unix (connect, receive, send) type=stream peer=(label=ibus-daemon), + unix (send receive connect) type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 7f830dc33..bea282862 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -10,6 +10,8 @@ include profile grub-sort-version @{exec_path} { include include + include + include include capability dac_read_search, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 14f21729f..66739c7bc 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -14,17 +14,10 @@ profile livepatch-notification @{exec_path} { include include include - include - include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/X11/{,**} r, - - @{run}/user/@{uid}/gdm/Xauthority r, - include if exists } diff --git a/apparmor.d/groups/ubuntu/pro b/apparmor.d/groups/ubuntu/pro deleted file mode 100644 index c00b07587..000000000 --- a/apparmor.d/groups/ubuntu/pro +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pro -profile pro @{exec_path} { - include - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 2def932dc..32b4e27c3 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -39,9 +39,9 @@ profile software-properties-dbus @{exec_path} { /usr/share/distro-info/*.csv r, /usr/share/xml/iso-codes/{,**} r, - owner @{tmp}/???????? rw, # unconventional '_' tail - owner @{tmp}/tmp????????/ w, # change to 'c' - owner @{tmp}/tmp????????/apt.conf w, + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8}/ w, # change to 'c' + owner @{tmp}/tmp@{word8}/apt.conf w, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 2f539bac8..c9a48ed47 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -14,15 +14,10 @@ profile ubuntu-advantage-notification @{exec_path} { include include include - include - include + include @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/icons/{,**} r, - /usr/share/X11/xkb/{,**} r, - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 4a05ad8d7..2cf2f3e99 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,6 +19,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index cb33f6046..df73d4e40 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -72,8 +72,15 @@ profile update-notifier @{exec_path} { include include + capability sys_ptrace, + + ptrace read peer=update-notifier, + @{lib}/update-notifier/package-system-locked Px, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/profiles-a-f/fstrim index e49108044..a4ba7fedb 100644 --- a/apparmor.d/profiles-a-f/fstrim +++ b/apparmor.d/profiles-a-f/fstrim @@ -23,6 +23,7 @@ profile fstrim @{exec_path} { @{MOUNTS}/ r, / r, /boot/ r, + /boot/efi/ r, /var/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index e67def6d2..a92092f8c 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 profile gtk-query-immodules @{exec_path} { include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 6004b8a35..9bfe64a72 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -50,19 +50,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{bin}/squid rPUx, @{bin}/pgrep rCx -> pgrep, - - # no new privs - #@{bin}/systemctl rCx -> systemctl, - @{bin}/systemctl rix, - @{bin}/runlevel rix, - include - ptrace (read), - capability sys_ptrace, - owner @{PROC}/@{pid}/stat r, - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, + @{bin}/systemctl rCx -> systemctl, /etc/ r, @{etc_ro}/logrotate.conf rk, @@ -92,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + @{run}/utmp rk, + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 692d79184..b24bdbdf1 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -81,18 +81,22 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, /boot/ r, - owner /boot/initrd.img-*.new rw, owner /boot/config-* r, + owner /boot/initrd.img-*.new rw, /var/tmp/ r, + /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs_*/ rw, owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**, - /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs-* rw, - owner @{PROC}/@{pid}/fd/ r, + @{sys}/devices/platform/ r, + @{sys}/devices/platform/reg-dummy/{,**}/ r, + @{sys}/module/compression r, + @{PROC}/cmdline r, @{PROC}/modules r, + owner @{PROC}/@{pid}/fd/ r, profile ldd { include diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 79398e82d..aef3b00fe 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -15,6 +15,8 @@ profile setvtrgb @{exec_path} { @{exec_path} mr, + /etc/console-setup/vtrgb r, + /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 158744d0c..e5e5bef97 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -104,7 +104,10 @@ profile snap @{exec_path} { profile systemctl { include include - + include + + network unix stream, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 4c34746ed..5018ff379 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -18,6 +18,8 @@ profile snap-seccomp @{exec_path} { @{exec_path} mr, + @{lib_dirs}/**.so* mr, + /var/lib/snapd/seccomp/bpf/{,**} rw, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw index 6a9897d91..525e543b9 100644 --- a/apparmor.d/profiles-s-z/ufw +++ b/apparmor.d/profiles-s-z/ufw @@ -37,10 +37,10 @@ profile ufw @{exec_path} { owner @{run}/ufw.lock rwk, - owner /var/tmp/???????? rw, - owner /var/tmp/tmp???????? rw, - owner @{tmp}/???????? rw, - owner @{tmp}/tmp???????? rw, + owner @{tmp}/@{word8} rw, + owner @{tmp}/tmp@{word8} rw, + owner /var/tmp/@{word8} rw, + owner /var/tmp/tmp@{word8} rw, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/ip_tables_names r,