From 8a381b2f6babcf429ba2edb7dcb25d772d9dbeab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 23 Feb 2025 18:13:16 +0100 Subject: [PATCH] feat(profile): various update for ubuntu. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/apt/apt-methods-gpgv | 1 + apparmor.d/groups/apt/dpkg | 1 - apparmor.d/groups/apt/dpkg-preconfigure | 6 ++++++ apparmor.d/groups/filesystem/lvm | 1 + apparmor.d/groups/firewall/firewalld | 2 +- apparmor.d/groups/polkit/polkitd | 1 + apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/utils/login | 3 ++- apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 1 + apparmor.d/profiles-m-r/mkinitramfs | 11 +++++++---- apparmor.d/profiles-m-r/needrestart | 2 +- apparmor.d/profiles-m-r/run-parts | 6 ++++++ 13 files changed, 29 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index c0545f2ec..cbf1c4f9f 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -53,6 +53,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), @{exec_path} mr, + @{python_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 4b2a15773..f4e77fa4d 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -84,6 +84,7 @@ profile apt-methods-gpgv @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt.{conf,sig,data}.* rw, + owner @{tmp}/apt.@{rand6}.gpg rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index dd87414bf..6d47e748b 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -37,7 +37,6 @@ profile dpkg @{exec_path} { @{pager_path} rPx -> child-pager, # Package maintainer's scripts - # Move it to a child profile once more transitions will be available /var/lib/dpkg/info/*.{config,templates} rPUx, /var/lib/dpkg/info/*.{preinst,postinst} rPUx, /var/lib/dpkg/info/*.{prerm,postrm} rPUx, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 94b7603fa..30fc78445 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -23,14 +23,17 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/{,e}grep rix, @{bin}/{,g,m}awk rix, @{bin}/cat rix, + @{bin}/debconf-escape rix, @{bin}/dialog rix, @{bin}/expr rix, @{bin}/locale rix, + @{bin}/readlink rix, @{bin}/sed rix, @{bin}/sort rix, @{bin}/stty rix, @{bin}/tr rix, + @{bin}/findmnt rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/apt-extracttemplates rPx, @{bin}/whiptail rPx, @@ -40,9 +43,12 @@ profile dpkg-preconfigure @{exec_path} { /etc/debconf.conf r, /etc/default/grub r, + /etc/default/mdadm r, /etc/inputrc r, /etc/locale.gen r, + /etc/mdadm/mdadm.conf r, /etc/shadow r, + /etc/ssh/sshd_config r, /var/lib/locales/supported.d/{,*} r, diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index cff4ce186..75cd0de80 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -23,6 +23,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), + mqueue getattr type=posix /, mqueue r type=posix /, @{exec_path} rm, diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 123dff77f..6d84dfe47 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -40,7 +40,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rix, @{bin}/modprobe rix, @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rmix, /usr/local/lib/@{python_name}/dist-packages/ r, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 9b3db683f..649fe9ceb 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -53,6 +53,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index dc80b17a4..273b68fc5 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -108,7 +108,7 @@ profile snapd @{exec_path} { /etc/modules-load.d/*snap* rw, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} r, + /etc/systemd/user/{,**/} rw, /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index a4d1b8cd2..f83c1687e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -59,12 +59,13 @@ profile login @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/motd.legal-displayed rw, + @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/credentials/getty@tty@{int}.service/ r, @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, - @{run}/systemd/sessions/*.ref rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e5c739bd5..fb9b75824 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -15,6 +15,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { capability fsetid, @{exec_path} mr, + @{python_path} mr, @{sh_path} rix, @{bin}/bc rix, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 6585f6382..c377889c8 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -19,11 +19,10 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/ r, - @{lib}/ r, - @{lib}64/ r, + @{bin}/ r, + @{lib}/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @@ -43,6 +42,7 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, + @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @@ -60,6 +60,7 @@ profile mkinitramfs @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, + @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @@ -108,6 +109,8 @@ profile mkinitramfs @{exec_path} { include @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mr, + @{lib}/ld-linux.so* mr, @{sh_path} rix, @{bin}/kmod mr, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 41d327f93..397646c5e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -84,7 +84,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability net_admin, - signal send set=term peer=systemd-tty-ask-password-agent, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index c20b305e1..d0ecbbd9e 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -38,6 +38,7 @@ profile run-parts @{exec_path} { /etc/anacrontab r, /etc/conf.d/snapper{,**} r, /etc/default/* r, + /etc/profile.d/{,**} r, /etc/snapper/configs/root r, # Crontab @@ -159,6 +160,10 @@ profile run-parts @{exec_path} { include include + network inet dgram, + network inet6 dgram, + network netlink raw, + @{sh_path} rix, @{bin}/{e,}grep rix, @{bin}/cat rix, @@ -169,6 +174,7 @@ profile run-parts @{exec_path} { @{bin}/sort rix, @{bin}/tr rix, @{bin}/uname rix, + @{bin}/hostname rPx, @{bin}/snap rPUx, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx,