From 5adc29087031c8f63930434d5e50a1fca5670089 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:54:40 +0200 Subject: [PATCH] fix(profile): fixes some issues raised by tests. --- apparmor.d/abstractions/base.d/complete | 1 + apparmor.d/groups/utils/lsfd | 38 ++++++++++++++++--------- apparmor.d/groups/utils/lsipc | 2 ++ apparmor.d/profiles-m-r/mkinitramfs | 16 +++++------ 4 files changed, 35 insertions(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ecfe09bb5..ad3945eb9 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -10,6 +10,7 @@ # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, + signal (receive) peer=pkill, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd index 6b30f63a9..96e497ea6 100644 --- a/apparmor.d/groups/utils/lsfd +++ b/apparmor.d/groups/utils/lsfd @@ -11,15 +11,25 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability checkpoint_restore, capability dac_read_search, + capability net_admin, capability sys_admin, + capability sys_chroot, capability sys_ptrace, capability sys_resource, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network inet6 stream, network netlink dgram, network netlink raw, + network packet dgram, ptrace read, ptrace trace, @@ -38,20 +48,20 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/cpu_byteorder r, - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/devices r, - @{PROC}/misc r, - @{PROC}/partitions r, - @{PROC}/tty/drivers r, - owner @{PROC}/@{pid}/syscall r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/syscall r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, include if exists } diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc index 12c8d333c..7677a8a03 100644 --- a/apparmor.d/groups/utils/lsipc +++ b/apparmor.d/groups/utils/lsipc @@ -27,6 +27,8 @@ profile lsipc @{exec_path} { @{PROC}/sysvipc/sem r, @{PROC}/sysvipc/shm r, + /dev/mqueue/ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index df76eb4ad..a7f046c55 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -93,14 +93,14 @@ profile mkinitramfs @{exec_path} { owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, - /var/tmp/ r, - /var/tmp/mkinitramfs_@{rand6}/** w, - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, - owner /var/tmp/mkinitramfs-*_@{rand6} rw, + /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/ rw, + /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /var/tmp/mkinitramfs-@{rand6} rw, + /var/tmp/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,