feat(profile): ubuntu: improve integration with ubuntu.

2024-09-26 20:34:12 +01:00 · 2024-09-26 20:34:12 +01:00 · 549c6ba2f5
commit 549c6ba2f5
parent 3f13aa77bf
18 changed files with 44 additions and 62 deletions
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@ -59,7 +59,7 @@ profile apt-systemd-daily @{exec_path} {
  /var/backups/ r,
  /var/backups/apt.extended_states rw,
  /var/backups/apt.extended_states.@{int} rw,
-  /var/backups/apt.extended_states.@{int}.gz w,
+  /var/backups/apt.extended_states.@{int}.gz rw,

  /var/cache/apt/ r,
  /var/cache/apt/archives/ r,
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -24,6 +24,7 @@ profile dpkg-preconfigure @{exec_path} {
  @{bin}/{,g,m}awk  rix,
  @{bin}/cat        rix,
  @{bin}/dialog     rix,
+  @{bin}/expr       rix,
  @{bin}/locale     rix,
  @{bin}/sed        rix,
  @{bin}/sort       rix,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -17,14 +17,15 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>

-  unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
-
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

+  # unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
+  unix (send receive connect) type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}),
+
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
--- a/apparmor.d/groups/grub/grub-sort-version
+++ b/apparmor.d/groups/grub/grub-sort-version
@ -10,6 +10,8 @@ include <tunables/global>
 profile grub-sort-version @{exec_path} {
  include <abstractions/base>
  include <abstractions/common/apt>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
  include <abstractions/python>

  capability dac_read_search,
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@ -14,17 +14,10 @@ profile livepatch-notification @{exec_path} {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/wayland>
+  include <abstractions/desktop>

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
-  /usr/share/X11/{,**} r,
-
-  @{run}/user/@{uid}/gdm/Xauthority r,
-
  include if exists <local/livepatch-notification>
 }

--- a/apparmor.d/groups/ubuntu/pro
+++ b/apparmor.d/groups/ubuntu/pro
@ -1,20 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/pro
-profile pro @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/common/apt>
-  include <abstractions/python>
-
-  @{exec_path} mr,
-
-  include if exists <local/pro>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@ -39,9 +39,9 @@ profile software-properties-dbus @{exec_path} {
  /usr/share/distro-info/*.csv r,
  /usr/share/xml/iso-codes/{,**} r,

-  owner @{tmp}/???????? rw,  # unconventional '_' tail
-  owner @{tmp}/tmp????????/ w, # change to 'c'
-  owner @{tmp}/tmp????????/apt.conf w,
+  owner @{tmp}/@{word8} rw,
+  owner @{tmp}/tmp@{word8}/ w, # change to 'c'
+  owner @{tmp}/tmp@{word8}/apt.conf w,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@ -14,15 +14,10 @@ profile ubuntu-advantage-notification @{exec_path} {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/wayland>
+  include <abstractions/desktop>

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
-
  include if exists <local/ubuntu-advantage-notification>
 }

--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = @{bin}/update-manager
 profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/common/apt>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
@ -20,6 +19,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/common/apt>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -72,8 +72,15 @@ profile update-notifier @{exec_path} {
    include <abstractions/base>
    include <abstractions/app/pkexec>

+    capability sys_ptrace,
+
+    ptrace read peer=update-notifier,
+
    @{lib}/update-notifier/package-system-locked Px,

+    @{PROC}/@{pid}/fdinfo/@{int} r,
+    @{PROC}/@{pid}/stat r,
+
    include if exists <local/update-notifier_pkexec>
  }