From 63e5980d8d26cdfe0afd1dc80f76fd1f3d8366bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 5 Jun 2022 22:47:37 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/apt | 4 +- apparmor.d/groups/apt/unattended-upgrade | 4 +- apparmor.d/groups/bus/dbus-daemon | 3 -- .../groups/freedesktop/at-spi2-registryd | 12 +++--- apparmor.d/groups/freedesktop/colord-sane | 12 +++--- apparmor.d/groups/freedesktop/polkitd | 5 ++- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/upowerd | 36 ++++++++-------- .../groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/freedesktop/xkbcomp | 2 + apparmor.d/groups/freedesktop/xrdb | 2 + apparmor.d/groups/freedesktop/xwayland | 2 + .../groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 + apparmor.d/groups/gnome/gnome-shell | 4 ++ .../groups/gnome/gnome-shell-calendar-server | 2 + apparmor.d/groups/gnome/nautilus | 5 ++- apparmor.d/groups/ubuntu/apt-esm-hook | 5 +++ .../groups/ubuntu/check-new-release-gtk | 12 +++++- .../groups/ubuntu/livepatch-notification | 5 ++- .../groups/ubuntu/package-system-locked | 3 ++ .../ubuntu/ubuntu-advantage-notification | 4 +- apparmor.d/groups/ubuntu/ubuntu-report | 1 + .../ubuntu/update-motd-updates-available | 20 +++++++-- apparmor.d/groups/ubuntu/update-notifier | 23 +++++++--- apparmor.d/profiles-a-f/fwupdmgr | 27 ++++++------ apparmor.d/profiles-g-l/ifup | 3 +- apparmor.d/profiles-g-l/logrotate | 9 ++-- apparmor.d/profiles-m-r/needrestart | 43 +++++++++++++++---- apparmor.d/profiles-s-z/spice-vdagent | 2 + apparmor.d/profiles-s-z/sysctl | 1 - .../profiles-s-z/update-command-not-found | 1 + 33 files changed, 177 insertions(+), 85 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 588f324ca..cddabf04f 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -24,6 +24,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability net_admin, capability setgid, capability setuid, + capability sys_nice, signal (send) peer=apt-methods-*, @@ -60,9 +61,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { # Methods to use to download packages from the net /{usr/,}lib/apt/methods/* rPx, + /var/lib/apt/extended_states{,.*} rw, /var/lib/apt/lists/** rw, /var/lib/apt/lists/lock rwk, - /var/lib/apt/extended_states{,.*} rw, + /var/lib/apt/periodic/update-success-stamp rw, /var/log/apt/eipp.log.xz w, /var/log/apt/{term,history}.log w, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index c3cf5a2a7..4a978427d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -9,10 +9,11 @@ include @{exec_path} = /{usr/,}bin/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include + include include include include - include capability chown, capability dac_override, @@ -78,6 +79,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner /tmp/#[0-9]* rw, owner @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 0a50c9814..4dae80713 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -14,7 +14,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include include -# include include capability audit_write, @@ -93,7 +92,5 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, - unix type=stream addr="@/tmp/dbus-*", - include if exists } diff --git a/apparmor.d/groups/freedesktop/at-spi2-registryd b/apparmor.d/groups/freedesktop/at-spi2-registryd index 939496d8a..46dc955d4 100644 --- a/apparmor.d/groups/freedesktop/at-spi2-registryd +++ b/apparmor.d/groups/freedesktop/at-spi2-registryd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -12,19 +13,18 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include - # Needed? - deny capability sys_nice, - signal (receive) set=(term hup) peer=gdm*, @{exec_path} mr, - owner @{HOME}/.Xauthority r, /var/lib/lightdm/.Xauthority r, + + owner @{HOME}/.Xauthority r, + owner @{HOME}/.xsession-errors w, + + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/gdm/Xauthority r, - # file_inherit - owner @{HOME}/.xsession-errors w, owner /dev/tty[0-9]* rw, include if exists diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane index 0f3cfa1f6..ed183ba51 100644 --- a/apparmor.d/groups/freedesktop/colord-sane +++ b/apparmor.d/groups/freedesktop/colord-sane @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,7 +9,7 @@ include @{exec_path} = /{usr/,}lib/colord/colord-sane @{exec_path} += @{libexec}/colord-sane -profile colord-sane @{exec_path} flags=(complain) { +profile colord-sane @{exec_path} flags=(attach_disconnected,complain) { include include @@ -16,17 +17,18 @@ profile colord-sane @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/sane.d/{,**} r, + /usr/share/snmp/mibs/{,*} r, + /etc/sane.d/{,**} r, /etc/snmp/snmp.conf r, + + /var/lib/snmp/{mib,cert}_indexes/ rw, /var/lib/snmp/mibs/{iana,ietf}/ r, /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - /var/lib/snmp/{mib,cert}_indexes/ rw, - /usr/share/snmp/mibs/{,*} r, + @{run}/systemd/journal/socket rw, @{sys}/bus/scsi/devices/ r, - @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r, @{PROC}/sys/dev/parport/ r, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index e264a2004..982f8f85f 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -14,10 +14,11 @@ profile polkitd @{exec_path} { include include - capability setuid, capability setgid, + capability setuid, + capability sys_nice, capability sys_ptrace, - audit deny capability net_admin, + audit capability net_admin, ptrace (read), diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 77c69921f..db4eb0c79 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -11,7 +11,7 @@ profile upower @{exec_path} { include # Needed? - deny capability sys_nice, + audit capability sys_nice, @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 7b32158f4..f8f7cbfc2 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2018-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,30 +18,12 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - # UPower config file /etc/UPower/ r, /etc/UPower/UPower.conf r, - # The history data for the power device /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - # Are all of these needed? (#FIXME#) - /dev/input/event* r, - @{sys}/bus/hid/devices/ r, - @{sys}/class/leds/ r, - @{sys}/class/power_supply/ r, - @{sys}/class/input/ r, - @{sys}/devices/ r, - @{sys}/devices/**/power_supply/**/* r, - @{sys}/devices/**/uevent r, - @{sys}/devices/**/capabilities/* r, - @{sys}/devices/virtual/dmi/id/product_name r, - - @{sys}/devices/platform/**/leds/**/max_brightness r, - @{sys}/devices/platform/**/leds/**/brightness rw, - @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, - @{run}/udev/data/ r, @{run}/udev/data/+power_supply* r, @{run}/udev/data/+input* r, @@ -49,5 +32,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, + @{sys}/bus/hid/devices/ r, + @{sys}/class/input/ r, + @{sys}/class/leds/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/ r, + @{sys}/devices/**/capabilities/* r, + @{sys}/devices/**/power_supply/**/* r, + @{sys}/devices/**/uevent r, + @{sys}/devices/platform/**/leds/**/brightness rw, + @{sys}/devices/platform/**/leds/**/brightness_hw_changed r, + @{sys}/devices/platform/**/leds/**/max_brightness r, + @{sys}/devices/virtual/dmi/id/product_name r, + + /dev/input/event* r, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index e9ad2fdda..e366fd260 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -34,7 +34,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /usr/share/pipewire/client.conf r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /etc/machine-id r, /etc/pipewire/client.conf.d/ r, /var/lib/flatpak/exports/share/mime/mime.cache r, @@ -43,6 +42,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/{,*/*} r, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/pipewire-[0-9]* rw, owner @{PROC}/@{pids}/cgroup r, @{PROC}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 0095e3b3a..b4235da95 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -11,6 +11,8 @@ include profile xkbcomp @{exec_path} flags=(attach_disconnected) { include + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + @{exec_path} mr, /usr/share/X11/xkb/** r, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 4db269649..177d3bb8e 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -11,6 +11,8 @@ include profile xrdb @{exec_path} { include + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index e535c2dfe..dd354cf8c 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -19,6 +19,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=gdm*, signal (receive) set=(term hup) peer=gnome-shell, + unix (receive, send) type=stream addr="@/tmp/.X11-unix/X[0-9]*", + @{exec_path} mrix, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index b40e3ed93..e488818bb 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -11,8 +11,8 @@ profile evolution-source-registry @{exec_path} { include include include - include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index a0fbc6c7f..564dba303 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -23,7 +23,6 @@ profile gnome-extension-ding @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r, - /usr/share/themes/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, /usr/share/X11/{,**} r, @@ -38,6 +37,7 @@ profile gnome-extension-ding @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/home-*.log r, owner @{run}/user/@{uid}/bus rw, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index c99313556..78fee1dff 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -99,6 +99,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/user-dirs.locale r, owner @{user_share_dirs}/applications/ r, owner @{user_share_dirs}/applications/mimeinfo.cache r, + owner @{user_share_dirs}/session_migration-ubuntu r, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r, owner @{run}/user/@{uid}/dconf/ rw, @@ -107,6 +108,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl, owner @{run}/user/@{uid}/systemd/notify w, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7dcc1894b..07657a3bd 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -39,6 +39,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, signal (send), + + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), @{exec_path} mr, @@ -126,6 +129,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw, owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/wayland-[0-9].lock rwk, owner /dev/shm/.org.chromium.Chromium.* rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 092876901..005072d53 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -17,6 +17,8 @@ profile gnome-shell-calendar-server @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/zoneinfo-icu/{,**} r, + /etc/timezone r, + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d5ebffde0..5ad4d7a0a 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -24,8 +24,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/sounds/freedesktop/stereo/*.oga r, /usr/share/thumbnailers/{,**} r, /usr/share/tracker3/{,**} r, + /usr/share/ubuntu/applications/{,**} r, - owner @{user_share_dirs}/nautilus/{,**} rwk, + /var/lib/snapd/desktop/icons/{,**} r, # Full access to user's data / r, @@ -42,6 +43,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { deny /tmp/.* rw, deny /tmp/.*/{,**} rw, + owner @{user_share_dirs}/nautilus/{,**} rwk, + owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 5e4c703cd..3492a1a8d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -15,7 +15,12 @@ profile apt-esm-hook @{exec_path} { /{usr/,}bin/dpkg rPx, + /etc/machine-id r, + + /var/lib/ubuntu-advantage/messages/{,**} rw, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/cmdline r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index ddba1dc3d..79f3b2f94 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,13 +10,18 @@ include profile check-new-release-gtk @{exec_path} { include include + include include include + include include include network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, @{exec_path} mr, @@ -25,17 +30,22 @@ profile check-new-release-gtk @{exec_path} { /{usr/,}bin/lsb_release rPx -> lsb_release, /usr/share/distro-info/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/themes/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, /usr/share/update-manager/{,**} r, + /usr/share/X11/xkb/{,**} r, /etc/update-manager/{,**} r, owner @{user_cache_dirs}/update-manager-core/{,**} rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9] rw, + owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/mounts r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 33965de61..863cccfe7 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -10,16 +10,19 @@ include profile livepatch-notification @{exec_path} { include include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/X11/{,**} r, - /usr/share/themes/{,**} r, + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index bd66ec170..705eb72d6 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -16,6 +16,9 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { ptrace (read), + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index caf36abdd..d8f01e8e5 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -11,16 +11,18 @@ profile ubuntu-advantage-notification @{exec_path} { include include include + include @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, /usr/share/X11/xkb/{,**} r, - /usr/share/themes/{,**} r, + owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index f7348d1a1..514055172 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -10,6 +10,7 @@ include profile ubuntu-report @{exec_path} { include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 5724a9598..d31d1730a 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,28 +9,42 @@ include @{exec_path} = /{usr/,}lib/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include + include + include + include + include include + capability dac_read_search, + @{exec_path} mr, /{usr/,}bin/python3.[0-9]* r, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/apt-config rPx, + /{usr/,}bin/chmod rix, /{usr/,}bin/dirname rix, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/find rix, /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/mktemp rix, /{usr/,}bin/mv rix, + /{usr/,}bin/rm rix, /{usr/,}lib/update-notifier/apt_check.py rix, - /etc/apt/apt.conf.d/{,*} r, - /etc/apt/sources.list r, + /usr/share/distro-info/{,**} r, + + /etc/machine-id r, - /var/lib/apt/lists/{,*} r, /var/lib/update-notifier/{,*} rw, + /var/cache/apt/ r, + /var/cache/apt/** rwk, + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ed52d32fa..a17b3a6a2 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -18,33 +18,46 @@ profile update-notifier @{exec_path} { @{exec_path} mr, - /{usr/,}bin/dpkg rPx, + /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ionice rix, /{usr/,}bin/ischroot rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/nice rix, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/pkexec rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/update-manager rPx, + /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk rPx, /{usr/,}lib/update-notifier/apt_check.py rix, + /{usr/,}lib/update-notifier/list-oem-metapackages rPx, /{usr/,}lib/update-notifier/livepatch-notification rPx, /{usr/,}lib/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, + /usr/share/apport/apport-gtk rPx, - /usr/share/applications/{,*.desktop} r, + /usr/share/applications/{,**} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icons/{,**} r, - /usr/share/themes/{,**} r, + /usr/share/mime/mime.cache r, + /usr/share/pixmaps/ r, /usr/share/ubuntu/applications/ r, + /usr/share/update-notifier/{,**} r, /usr/share/X11/{,**} r, /etc/machine-id r, /etc/gnome/defaults.list r, + /var/lib/snapd/desktop/applications/{,**} r, + /var/lib/snapd/desktop/icons/ r, /var/lib/update-notifier/user.d/ r, - /var/lib/snapd/desktop/applications/{,/mimeinfo.cache} r, + owner @{user_share_dirs}/applications/ r, + + owner @{run}/user/@{uid}/at-spi/bus rw, + owner @{run}/user/@{uid}/bus rw, owner @{run}/user/@{uid}/dconf/ rw, owner @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/update-notifier.pid rwk, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 19e51f9b0..127a364c5 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,11 +8,12 @@ abi , include @{exec_path} = /{usr/,}bin/fwupdmgr -profile fwupdmgr @{exec_path} flags=(complain) { +profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include + include include - include include + include signal (send), @@ -27,26 +28,22 @@ profile fwupdmgr @{exec_path} flags=(complain) { /{usr/,}bin/dbus-launch rCx -> dbus, /{usr/,}bin/pkttyagent rPx, - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/fwupd/ rw, - owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/fwupd/ rw, + owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, owner @{PROC}/@{pid}/fd/ r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - /dev/tty rw, - include - owner @{run}/user/@{uid}/dconf/ rw, - owner @{run}/user/@{uid}/dconf/user rw, - profile dbus { include include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 73e36a65a..6de8a18fa 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -12,8 +12,7 @@ profile ifup @{exec_path} { include capability net_admin, - # Needed? - audit deny capability sys_module, + audit capability sys_module, network netlink raw, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 96d0818d2..db9073cd6 100755 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/logrotate -profile logrotate @{exec_path} flags=(attach_disconnected, complain) { +profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -71,16 +71,15 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /var/lib/logrotate.status rwk, /var/lib/logrotate.status.tmp rw, + / r, /var/log{,.hdd}/ r, /var/log{,.hdd}/** rw, - # Needed to remove the following error: - # logrotate[]: error: could not change directory to '.' - / r, + @{run}/systemd/private rw, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - profile systemctl flags=(attach_disconnected, complain) { + profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c7de4c653..33176766a 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -7,28 +7,53 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/needrestart -profile needrestart @{exec_path} { +profile needrestart @{exec_path} flags=(attach_disconnected) { include include + include include + include include + capability checkpoint_restore, + capability dac_read_search, capability sys_ptrace, ptrace (read), - @{exec_path} mr, + @{exec_path} mrix, - /{usr/,}bin/systemd-detect-virt rPx, - /{usr/,}bin/who rix, - /usr/share/debconf/frontend rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/dpkg-query rpx, + /{usr/,}bin/locale rix, + /{usr/,}bin/python3.[0-9]* rix, + /{usr/,}bin/stty rix, + /{usr/,}bin/systemctl rPx, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/udevadm rPx, + /{usr/,}bin/whiptail rPx, + /{usr/,}bin/who rix, + /{usr/,}lib/needrestart/iucode-scan-versions rPx, + /usr/share/debconf/frontend rix, + /usr/share/needrestart/{,**} r, + /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, + + /etc/debconf.conf r, /etc/needrestart/{,**} r, + /etc/needrestart/hook.d/* rix, + /etc/needrestart/restart.d/* rix, + /etc/shadow r, - @{PROC}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/stat r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pids}/cgroup r, + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, /dev/ r, /dev/**/ r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index ce534bdee..e0a141ea2 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -12,6 +12,8 @@ profile spice-vdagent @{exec_path} { include include + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 55251feee..04bfaab93 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -10,7 +10,6 @@ include profile sysctl @{exec_path} { include - capability mac_admin, capability net_admin, capability sys_admin, capability sys_resource, diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index c256bc068..3647063b0 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -19,6 +19,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, + /{usr/,}lib/ r, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}lib/apt/apt-helper rix,