feat(profiles): general update.

2023-09-15 22:01:08 +01:00 · 2023-09-15 22:01:08 +01:00 · 6a78b17d23
commit 6a78b17d23
parent 1d68b5bbc4
22 changed files with 62 additions and 35 deletions
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -17,8 +17,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  capability sys_admin,
  capability sys_chroot,

-  unix (receive) type=stream,
-
  @{exec_path} rmix,

  @{bin}/{,ba}sh             rix,
@ -116,9 +114,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {

  # Inherit silencer
  deny @{HOME}/** r,
-  deny network inet6 stream,
-  deny network inet stream,
  deny /apparmor/.null rw,
+  deny network inet stream,
+  deny network inet6 stream,
+  deny unix (receive) type=stream,

  include if exists <local/mkinitcpio>
 }
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -30,17 +30,12 @@ profile pacman @{exec_path} {
  capability sys_chroot,
  capability sys_resource,

-  # network unix stream,
-  # network unix dgram,
-
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

-  unix (receive) type=stream,
-
  ptrace (read),

  @{exec_path} mrix,
@ -161,8 +156,9 @@ profile pacman @{exec_path} {
  owner /dev/pts/@{int} rw,

  # Silencer, 
-  deny /tmp/ r,
  deny @{HOME}/ r,
+  deny /tmp/ r,
+  deny unix (receive) type=stream,

  profile gpg {
    include <abstractions/base>
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@ -13,8 +13,6 @@ profile pacman-hook-dkms @{exec_path} {
  capability dac_read_search,
  capability mknod,

-  unix (receive) type=stream,
-
  @{exec_path} mr,

  @{bin}/bash rix,
@ -30,9 +28,10 @@ profile pacman-hook-dkms @{exec_path} {
  /dev/tty rw,

  # Inherit Silencer
-  deny network inet6 stream,
-  deny network inet stream,
  deny /apparmor/.null rw,
+  deny network inet stream,
+  deny network inet6 stream,
+  deny unix (receive) type=stream,

  include if exists <local/pacman-hook-dkms>
 }
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@ -14,7 +14,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  capability dac_read_search,
  capability mknod,

-  unix (receive) type=stream,
+  audit deny unix (receive) type=stream,

  @{exec_path} mr,

@ -37,11 +37,13 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /etc/mkinitcpio.d/*.preset{,.pacsave} rw,

  / r,
+  /boot/ r,
  /boot/vmlinuz-* rw,
  /boot/initramfs-*.img rw,
  /boot/initramfs-*-fallback.img rw,

  /dev/tty rw,
+  owner /dev/pts/@{int} rw,

  # # Inherit Silencer
  deny network inet6 stream,