felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): expand and restrict motd.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-25 01:04:07 +02:00
parent 21b31a06a7
commit 649d2da8d2
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 29 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

40
apparmor.d/profiles-m-r/motd
View file

@ -9,16 +9,11 @@ include <tunables/global>
@{exec_path} = /etc/update-motd.d/* @{exec_path} = /etc/update-motd.d/*
profile motd @{exec_path} { profile motd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network inet dgram, capability net_admin,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r,
@{sh_path} rix, @{sh_path} rix,
@{coreutils_path} rix, @{coreutils_path} rix,
@ -28,7 +23,7 @@ profile motd @{exec_path} {
@{bin}/snap rPx, @{bin}/snap rPx,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/wget rix, @{bin}/wget rCx -> wget,
@{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx,
@{lib}/update-notifier/update-motd-fsck-at-reboot rPx, @{lib}/update-notifier/update-motd-fsck-at-reboot rPx,
@ -37,26 +32,49 @@ profile motd @{exec_path} {
/usr/share/update-notifier/notify-updates-outdated rPx, /usr/share/update-notifier/notify-updates-outdated rPx,
/ r, / r,
/etc/cloud/cloud.cfg r,
/etc/cloud/cloud.cfg.d/{,*} r,
/etc/default/motd-news r, /etc/default/motd-news r,
/etc/lsb-release r, /etc/lsb-release r,
/etc/update-motd.d/* r, /etc/update-motd.d/* r,
/etc/cloud/cloud.cfg r, /etc/wgetrc r,
/etc/cloud/cloud.cfg.d/{,*} r,
/var/cache/motd-news rw, /var/cache/motd-news rw,
/var/lib/update-notifier/updates-available r, /var/lib/update-notifier/updates-available r,
/var/lib/ubuntu-advantage/messages/motd-esm-announce r, /var/lib/ubuntu-advantage/messages/motd-esm-announce r,
/var/lib/cloud/instances/nocloud/cloud-config.txt r,
/tmp/tmp.@{rand10} rw, # /tmp/tmp.@{rand10} rw,
@{run}/cloud-init/cloud.cfg r,
@{run}/motd.d/{,*} r, @{run}/motd.d/{,*} r,
@{run}/motd.dynamic.new rw, @{run}/motd.dynamic.new rw,
@{run}/reboot-required r, @{run}/reboot-required r,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
/dev/tty@{int} rw, /dev/tty@{int} rw,
profile wget {
include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
network inet dgram,
network inet stream,
network inet6 dgram,
network inet6 stream,
network netlink raw,
@{bin}/wget mr,
/tmp/tmp.@{rand10} rw,
include if exists <local/motd_wget>
}
profile systemctl { profile systemctl {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/systemctl> include <abstractions/app/systemctl>