feat(profiles): general update.

2023-09-12 22:59:07 +01:00 · 2023-09-12 22:59:07 +01:00 · 6db83003c7
commit 6db83003c7
parent 6c397882ad
33 changed files with 98 additions and 56 deletions
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@ -26,7 +26,7 @@ profile aa-enforce @{exec_path} {

  /etc/inputrc r,

-  owner /snap/core[0-9]*/@{int}/etc/apparmor.d/{,**} rw,
+  owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
  owner /var/lib/snapd/apparmor/{,**} rw,

  owner @{PROC}/@{pid}/fd r,
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@ -28,6 +28,11 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  
+  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
+      interface=org.freedesktop.PolicyKit1.Authority
+      member=Changed 
+      peer=(name=:*, label=polkitd),
+
  dbus receive bus=system path=/org/freedesktop/bolt
      interface=org.freedesktop.bolt1.Manager
      member=ListDevices,
--- a/apparmor.d/profiles-a-f/chpasswd
+++ b/apparmor.d/profiles-a-f/chpasswd
@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 include <tunables/global>
@ -17,16 +18,16 @@ profile chpasswd @{exec_path} {

  /etc/.pwd.lock wk,
  /etc/login.defs r,
-  /etc/shadow rw,
-  /etc/shadow.@{int} w,
-  /etc/shadow.lock w,  # change to 'd'
-  /etc/shadow.lock l -> /etc/shadow.@{int},
-  /etc/shadow- w,
-  /etc/shadow+ rw,
  /etc/passwd rw,
  /etc/passwd.@{int} w,
-  /etc/passwd.lock w,  # change to 'd'
  /etc/passwd.lock l -> /etc/passwd.@{int},
+  /etc/passwd.lock w,
+  /etc/shadow rw,
+  /etc/shadow- w,
+  /etc/shadow.@{int} w,
+  /etc/shadow.lock l -> /etc/shadow.@{int},
+  /etc/shadow.lock w,
+  /etc/shadow+ rw,

  include if exists <local/chpasswd>
 }
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -56,7 +56,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  @{bin}/{,g,m}awk  rix,
  @{bin}/update-secureboot-policy rPUx,

-  @{lib}/gcc/@{multiarch}/@{int}/*             rix,
+  @{lib}/gcc/@{multiarch}/@{int}*/*             rix,
  @{lib}/linux-kbuild-*/scripts/**             rix,
  @{lib}/linux-kbuild-*/tools/objtool/objtool  rix,
  @{lib}/llvm-[0-9]*/bin/clang                 rix,