feat(profile): general updtae.

2024-09-18 18:10:27 +01:00 · 2024-09-18 18:10:27 +01:00 · 7a53fc3a99
commit 7a53fc3a99
parent cc139f1144
27 changed files with 158 additions and 184 deletions
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@ -1,36 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2022 Jeroen Rijken
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/xtables-nft-multi
-profile cni-xtables-nft {
-    include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/nameservice-strict>
-
-    capability net_admin,
-    capability net_raw,
-
-    network inet dgram,
-    network inet6 dgram,
-    network inet raw,
-    network inet6 raw,
-    network inet stream,
-    network inet6 stream,
-    network netlink raw,
-
-    @{exec_path} mr,
-    @{bin}/xtables-legacy-multi mr,
-  
-    /etc/libnl/classid r,
-    /etc/iptables/{,**} rw,
-    /etc/nftables.conf rw,
-
-    @{PROC}/@{pids}/net/ip_tables_names r,
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -26,11 +26,11 @@ profile cockpit-bridge @{exec_path} {

  ptrace read,

+  signal send set=term peer=cockpit-bridge//sudo,
  signal send set=term peer=cockpit-pcp,
  signal send set=term peer=dbus-daemon,
  signal send set=term peer=journalctl,
  signal send set=term peer=ssh-agent,
-  signal send set=term peer=sudo,
  signal send set=term peer=unconfined,

  @{exec_path} mr,
@ -41,24 +41,30 @@ profile cockpit-bridge @{exec_path} {
  @{bin}/ip                   ix,
  @{bin}/python3.@{int}       ix,
  @{bin}/test                 ix,
+  @{bin}/file                 ix,

+  @{bin}/chage                Px,
+  @{bin}/dmidecode            Px,
  @{bin}/findmnt              Px,
  @{bin}/journalctl           Px,
+  @{bin}/last                 Px,
  @{bin}/lastlog              Px,
+  @{bin}/lscpu                Px,
  @{bin}/passwd               Px,
  @{bin}/ssh-agent            Px,
-  @{bin}/sudo                 Px, # TODO: rCx -> privilieged ? or rix?
+  @{bin}/sudo                 Cx -> sudo,
  @{bin}/udevadm              Cx -> udevadm,
+  @{bin}/virsh               rPUx,
  @{bin}/virt-install        PUx, # TODO: rPx
  @{lib}/cockpit/cockpit-pcp  Px,
  @{lib}/cockpit/cockpit-ssh  Px,
-  @{bin}/virsh               rPUx,

  # The shell is not confined on purpose.
  @{bin}/@{shells}            Ux,

  /usr/{,local/}share/ r,
  /usr/share/cockpit/{,**} r,
+  /usr/share/file/** r,
  /usr/share/iproute2/* r,

  /etc/cockpit/{,**} r,
@ -70,7 +76,8 @@ profile cockpit-bridge @{exec_path} {
  /etc/shadow r,
  /etc/shells r,

-  / r,
+  / r, 
+  @{HOME}/ r,

  owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
  owner @{user_share_dirs}/ r,
@ -103,6 +110,18 @@ profile cockpit-bridge @{exec_path} {

  /dev/ptmx rw,

+  profile sudo {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    signal (send receive) set=term peer=cockpit-bridge,
+
+    @{bin}/cockpit-bridge Px,
+    @{lib}/cockpit/cockpit-askpass Px,
+
+    include if exists <local/cockpit-bridge_sudo>
+  }
+
  profile udevadm {
    include <abstractions/base>
    include <abstractions/app/udevadm>
--- a/apparmor.d/groups/virt/cockpit-update-motd
+++ b/apparmor.d/groups/virt/cockpit-update-motd
@ -30,8 +30,6 @@ profile cockpit-update-motd @{exec_path} {
    capability net_admin,
    capability sys_ptrace,

-    @{PROC}/sys/kernel/cap_last_cap r,
-
    include if exists <local/cockpit-update-motd_systemctl>
  }

--- a/apparmor.d/groups/virt/xtables
+++ b/apparmor.d/groups/virt/xtables
@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi
+profile xtables {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability net_admin,
+  capability net_raw,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/share/iproute2/{,**} r,
+
+  /etc/iproute2/{,**} r,
+  /etc/iptables/{,**} rw,
+  /etc/libnl/classid r,
+  /etc/nftables.conf rw,
+
+  @{run}/xtables.lock rwk,
+
+  @{PROC}/@{pids}/net/ip_tables_names r,
+
+  include if exists <local/xtables>
+}
+
+# vim:syntax=apparmor