From 7abbf548a2f4bca6e1b7a7b1bb40907da0e2b68a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 13 Mar 2025 19:18:03 +0100 Subject: [PATCH] feat(profile): add netplan-generate. --- apparmor.d/groups/network/netplan-generate | 48 ++++++++++++++++++++++ apparmor.d/groups/network/netplan.script | 25 +---------- 2 files changed, 49 insertions(+), 24 deletions(-) create mode 100644 apparmor.d/groups/network/netplan-generate diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate new file mode 100644 index 000000000..738fbeb8f --- /dev/null +++ b/apparmor.d/groups/network/netplan-generate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/netplan/generate +profile netplan-generate @{exec_path} flags=(attach_disconnected) { + include + include + + capability chown, + + network netlink raw, + + @{exec_path} mr, + + /etc/netplan/{,*} r, + + @{run}/systemd/generator/multi-user.target.wants/ w, + @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w, + @{run}/systemd/generator/netplan.stamp w, + @{run}/systemd/generator/network-online.target.wants/ w, + @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w, + @{run}/systemd/network/ r, + @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, + @{run}/systemd/system/ r, + @{run}/systemd/system/netplan-* rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, + @{run}/systemd/system/systemd-networkd.service.wants/ rw, + @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + + @{run}/udev/rules.d/ r, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{sys}/devices/**/net/*/address r, + + + @{run}/udev/rules.d/ r, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 989f2ee09..15aae42d7 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -9,41 +9,18 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan.script @{exec_path} flags=(attach_disconnected) { include - include include - network netlink raw, - @{exec_path} mr, - @{lib}/netplan/generate rix, + @{lib}/netplan/generate rPx, @{bin}/udevadm rCx -> udevadm, @{bin}/systemctl rCx -> systemctl, /usr/share/netplan/{,**} r, - /etc/netplan/{,*} r, - @{run}/netplan/ r, - @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw, - @{run}/NetworkManager/system-connections/ rw, - @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, - - @{run}/systemd/network/ r, - @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, - @{run}/systemd/system/ r, - @{run}/systemd/system/netplan-* rw, - @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r, - @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, - @{run}/systemd/system/systemd-networkd.service.wants/ rw, - @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, - - @{run}/udev/rules.d/ r, - @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, - - @{sys}/devices/**/net/*/address r, - profile udevadm { include include