felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add initial version for dpkg-scripts.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-18 20:27:44 +02:00
parent 222125e593
commit 6495061360
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
7 changed files with 263 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

10
apparmor.d/groups/apt/dpkg-script-apparmor
View file

@ -15,12 +15,12 @@ profile dpkg-script-apparmor @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/grep rix,
@{bin}/grep ix,
@{bin}/deb-systemd-helper rPx,
@{bin}/deb-systemd-invoke rPx,
@{bin}/dpkg-divert rix,
@{bin}/systemctl rCx -> systemctl,
@{bin}/deb-systemd-helper Px,
@{bin}/deb-systemd-invoke Px,
@{bin}/dpkg-divert ix,
@{bin}/systemctl Cx -> systemctl,
/usr/share/apparmor.d/** rw,

11
apparmor.d/groups/apt/dpkg-script-udev → apparmor.d/groups/apt/dpkg-script-kmod
View file

@ -6,16 +6,13 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/info/udev*
profile dpkg-script-udev @{exec_path} {
@{exec_path} = /var/lib/dpkg/info/kmod*
profile dpkg-script-kmod @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
@{exec_path} mrix,
@{bin}/systemd-hwdb rPx,
@{bin}/deb-systemd-invoke rPx,
include if exists <local/dpkg-script-udev>
include if exists <local/dpkg-script-kmod>
}
# vim:syntax=apparmor

45
apparmor.d/groups/apt/dpkg-script-linux Normal file
View file

@ -0,0 +1,45 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/info/linux*
profile dpkg-script-linux @{exec_path} {
include <abstractions/base>
include <abstractions/app/debconf>
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/cat ix,
@{bin}/locale ix,
@{bin}/mkdir ix,
@{bin}/mkdir ix,
@{bin}/rm ix,
@{bin}/run-parts ix,
@{bin}/stty ix,
@{bin}/dpkg-trigger Px,
@{bin}/kmod Px,
@{bin}/linux-check-removal Px,
@{bin}/linux-update-symlinks Px,
@{bin}/whiptail Px,
/usr/share/{update,reboot}-notifier/notify-reboot-required Px,
/etc/kernel/{,header_}postinst.d/* Px,
/etc/kernel/postrm.d/* Px,
/etc/kernel/preinst.d/* Px,
/etc/kernel/prerm.d/* Px,
/etc/kernel/*.d/ r,
@{lib}/linux/triggers/* w,
@{lib}/modules/*/.fresh-install w,
include if exists <local/dpkg-script-linux>
}
# vim:syntax=apparmor

27
apparmor.d/groups/apt/dpkg-script-man
View file

@ -1,27 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/info/man-db.*
profile dpkg-script-man @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability setgid,
capability setuid,
@{exec_path} mr,
@{sh_path} rix,
@{bin}/setpriv rix,
@{bin}/mandb rPx,
include if exists <local/dpkg-script-man>
}
# vim:syntax=apparmor

64
apparmor.d/groups/apt/dpkg-script-systemd Normal file
View file

@ -0,0 +1,64 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/info/systemd*
profile dpkg-script-systemd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/deb-systemd-helper Px,
@{bin}/deb-systemd-invoke Px,
@{bin}/dpkg Cx -> dpkg,
@{bin}/dpkg-divert Px,
@{bin}/dpkg-maintscript-helper Px,
@{bin}/journalctl Px,
@{bin}/kernel-install Px,
@{bin}/systemctl Cx -> systemctl,
@{bin}/systemd-machine-id-setup Px,
@{bin}/systemd-sysusers Px,
@{bin}/systemd-tmpfiles Px,
@{lib}/systemd/systemd-sysctl Px,
@{sbin}/pam-auth-update Px,
/etc/systemd/system/*.wants/ rw,
/etc/systemd/system/*.wants/* rw,
/var/lib/systemd/{,*} rw,
/var/log/journal/ rw,
profile dpkg {
include <abstractions/base>
include <abstractions/common/apt>
@{bin}/dpkg mr,
include if exists <local/dpkg-script-systemd_dpkg>
}
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
capability net_admin,
capability sys_resource,
signal send set=(cont term) peer=systemd-tty-ask-password-agent,
@{bin}/systemd-tty-ask-password-agent Px,
include if exists <local/dpkg-script-systemd_systemctl>
}
include if exists <local/dpkg-script-systemd>
}
# vim:syntax=apparmor

141
apparmor.d/groups/apt/dpkg-scripts Normal file
View file

@ -0,0 +1,141 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/**
profile dpkg-scripts @{exec_path} {
include <abstractions/base>
include <abstractions/app/debconf>
include <abstractions/disks-read>
capability chown,
capability dac_read_search,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
@{exec_path} mrix,
# Common program found in maintainer scripts
@{sh_path} rix,
@{coreutils_path} rix,
@{bin}/run-parts rix,
@{bin}/setpriv ix,
@{bin}/envsubst ix,
@{bin}/getent ix,
@{bin}/gzip ix,
@{bin}/helpztags ix,
@{bin}/locale ix,
@{bin}/tput ix,
@{bin}/zcat ix,
@{lib}/ubuntu-advantage/cloud-id-shim.sh ix,
@{lib}/ubuntu-advantage/postinst-migrations.sh ix,
@{bin}/dbus-send Cx -> bus,
@{bin}/dpkg Px -> child-dpkg,
@{bin}/systemctl Cx -> systemctl,
@{sbin}/invoke-rc.d Cx -> rc,
@{sbin}/ldconfig Cx -> ldconfig,
@{sbin}/ldconfig.real Cx -> ldconfig,
@{sbin}/update-rc.d Cx -> rc,
# Maintainer scripts can legitimately start/restart anything
@{bin}/** Px,
@{sbin}/** Px,
@{lib}/** Px,
/usr/share/** Px,
/etc/init.d/* Px,
/var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-*
/var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp
# Maintainer's scripts can update a lot of files
/ r,
/*/ r,
@{bin}/ r,
@{lib}/ r,
/etc/ r,
/etc/** rw,
/usr/share/*/ r,
/usr/share/*/** rw,
/var/** rw,
@{run}/** rw,
@{efi}/grub/* rw,
/tmp/grub.@{rand10} rw,
/tmp/sed@{rand6} rw,
/tmp/tmp.@{rand10} rw,
profile bus {
include <abstractions/base>
include <abstractions/app/bus>
include <abstractions/bus-system>
dbus send bus=system path=/
interface=org.freedesktop.DBus
member=ReloadConfig
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
include if exists <local/dpkg-scripts_bus>
}
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
capability net_admin,
capability sys_ptrace,
@{run}/utmp rk,
include if exists <local/dpkg-scripts_systemctl>
}
profile rc {
include <abstractions/base>
include <abstractions/perl>
@{sbin}/update-rc.d mr,
@{sbin}/invoke-rc.d mr,
@{coreutils_path} rix,
@{sh_path} rix,
@{bin}/systemctl rPx -> dpkg-scripts//systemctl,
/etc/ r,
/etc/init.d/* r,
/etc/rc?.d/ r,
/etc/rc@{int}.d/ r,
/etc/rc@{int}.d/* rw,
/etc/rc@{c}.d/* rw,
include if exists <local/dpkg-scripts_rc>
}
profile ldconfig {
include <abstractions/base>
include <abstractions/consoles>
@{sh_path} rix,
@{sbin}/ldconfig mrix,
@{sbin}/ldconfig.real rix,
@{lib}/ r,
/usr/local/ r,
/usr/local/lib/ r,
owner /var/cache/ldconfig/aux-cache* rw,
include if exists <local/dpkg-scripts_ldconfig>
}
include if exists <local/dpkg-scripts>
}
# vim:syntax=apparmor

6
dists/flags/main.flags
View file

@ -88,8 +88,10 @@ dolphin complain
downloadhelper complain
dpkg-maintscript-helper complain
dpkg-script-apparmor complain
dpkg-script-man complain
dpkg-script-udev complain
dpkg-script-kmod complain
dpkg-script-linux complain
dpkg-script-systemd complain
dpkg-scripts complain
drkonqi complain
drkonqi-coredump-cleanup complain
drkonqi-coredump-processor complain