From 736e44a483af6c2888aad43d4ed224c5cb8bce68 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 6 Oct 2022 20:53:54 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/apt/dpkg | 49 +++++++------------ apparmor.d/groups/apt/unattended-upgrade | 5 +- apparmor.d/groups/grub/grub-mkconfig | 20 +++++--- apparmor.d/groups/network/NetworkManager | 1 + .../groups/pacman/archlinux-keyring-wkd-sync | 4 +- apparmor.d/profiles-s-z/wpa-supplicant | 15 +++--- 6 files changed, 45 insertions(+), 49 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 0593605a0..282cbe041 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -28,18 +29,13 @@ profile dpkg @{exec_path} { @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, /{usr/,}bin/rm rix, - # Do not strip env to avoid errors like the following: - # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open - # shared object file): ignored. - /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/dpkg-deb rpx, - # + /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/dpkg-split rPx, - /{usr/,}lib/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, /{usr/,}bin/pager rCx -> diff, @@ -47,6 +43,9 @@ profile dpkg @{exec_path} { /{usr/,}bin/more rCx -> diff, /{usr/,}bin/diff rCx -> diff, + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + # Run the package maintainer's scripts # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) # Move it to a child profile once more transitions will be available @@ -67,19 +66,9 @@ profile dpkg @{exec_path} { #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/sys/kernel/random/boot_id r, - - owner /tmp/apt-dpkg-install-*/ r, - /var/log/dpkg.log w, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - @{run}/systemd/userdb/ r, - # For shell pwd /root/ r, @@ -120,9 +109,14 @@ profile dpkg @{exec_path} { /var/*.dpkg-new/ rw, /var/*/ rw, - # file_inherit - owner /dev/tty[0-9]* rw, + owner /tmp/apt-dpkg-install-*/ r, + @{run}/systemd/userdb/ r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/random/boot_id r, + + owner /dev/tty[0-9]* rw, profile diff { include @@ -134,19 +128,19 @@ profile dpkg @{exec_path} { /{usr/,}bin/more mr, /{usr/,}bin/diff mr, + /etc/** r, # Diff changed config files + /root/ r, # For shell pwd + owner @{HOME}/.lesshs* rw, - # Diff changed config files - /etc/** r, - - # For shell pwd - /root/ r, - } profile scripts { include + /{usr/,}{s,}bin/ r, + /{usr/,}{s,}bin/* rPUx, + /var/lib/dpkg/info/*.config r, /var/lib/dpkg/info/*.{preinst,postinst} r, /var/lib/dpkg/info/*.{prerm,postrm} r, @@ -154,11 +148,6 @@ profile dpkg @{exec_path} { /var/lib/dpkg/tmp.ci/{preinst,postinst} r, /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - /{usr/,}bin/ r, - /{usr/,}bin/* rPUx, - /{usr/,}sbin/ r, - /{usr/,}sbin/* rPUx, - } include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 9ea5fe83e..fad95e44d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -81,14 +81,17 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, + /etc/default/grub.d/* r, /etc/dpkg/origins/{debian,ubuntu,} r, + /etc/grub.d/* r, /etc/issue{.net,} r, + /etc/kernel/*.d/*grub* r, /etc/legal r, /etc/lsb-release r, /etc/profile.d/* r, - /etc/update-motd.d/* r, /etc/update-manager/{,**} r, /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r, + /etc/update-motd.d/* r, /etc/machine-id r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 3341b30c6..91ebc8ee9 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,10 +12,17 @@ profile grub-mkconfig @{exec_path} flags=(complain) { include include + capability dac_override, capability dac_read_search, @{exec_path} mr, - /etc/grub.d/{**,} rix, + + /{usr/,}{local/,}{s,}bin/zfs rPx, + /{usr/,}{local/,}{s,}bin/zpool rPx, + /{usr/,}{s,}bin/dmsetup rPUx, + /{usr/,}{s,}bin/grub-probe rPx, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{e,f,}grep rix, /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, @@ -26,22 +34,21 @@ profile grub-mkconfig @{exec_path} flags=(complain) { /{usr/,}bin/find rix, /{usr/,}bin/findmnt rPx, /{usr/,}bin/gettext rix, - /{usr/,}bin/{e,f,}grep rix, - /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/grub-mkrelpath rPx, /{usr/,}bin/grub-script-check rPx, /{usr/,}bin/head rix, /{usr/,}bin/id rPx, /{usr/,}bin/ls rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/mktemp rix, /{usr/,}bin/mount rPx, /{usr/,}bin/mountpoint rix, + /{usr/,}bin/os-prober rPx, /{usr/,}bin/paste rix, /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/rmdir rix, /{usr/,}bin/sed rix, - /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/sort rix, /{usr/,}bin/stat rix, /{usr/,}bin/tail rix, @@ -49,10 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(complain) { /{usr/,}bin/umount rPx, /{usr/,}bin/uname rix, /{usr/,}bin/which{.debianutils,} rix, - /{usr/,}{s,}bin/dmsetup rPUx, - /{usr/,}{s,}bin/grub-probe rPx, - /{usr/,}{local/,}{s,}bin/zfs rPx, - /{usr/,}{local/,}{s,}bin/zpool rPx, + /etc/grub.d/{**,} rix, /boot/{**,} r, /boot/grub/{**,} rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index c612f740c..58556391d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -87,6 +87,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/dnsmasq rPx, /{usr/,}bin/resolvconf rPx, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}lib/nm-dhcp-helper rPx, diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync index 12254a2cc..b6ffe7f3d 100644 --- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync +++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync @@ -22,9 +22,9 @@ profile archlinux-keyring-wkd-sync @{exec_path} { /{usr/,}bin/{m,g,}awk rix, /{usr/,}bin/bash rix, + /{usr/,}bin/dirmngr rix, /{usr/,}bin/gpg rix, /{usr/,}bin/pacman-conf rix, - /{usr/,}bin/dirmngr rix, /etc/pacman.conf r, /etc/pacman.d/*-mirrorlist r, @@ -35,5 +35,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 32472fb93..af1531bb5 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -38,23 +38,20 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/wpa_supplicant/wpa_supplicant.conf rw, + /etc/wpa_supplicant/wpa_supplicant.conf.tmp rw, + /etc/libnl/{classid,pktloc} r, + @{HOME}/.cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, - /etc/wpa_supplicant/wpa_supplicant.conf r, - /etc/libnl/{classid,pktloc} r, - - /dev/rfkill r, + @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r, @{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw, @{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw, - @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r, - - # For wpa_gui - #/etc/wpa_supplicant/wpa_supplicant.conf w, - #/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw, + /dev/rfkill rw, include if exists }