feat(profile): various update for ubuntu.

2025-02-23 18:13:16 +01:00 · 2025-02-23 18:13:16 +01:00 · 8a381b2f6b
commit 8a381b2f6b
parent e9b022a9a1
13 changed files with 29 additions and 9 deletions
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@ -19,11 +19,10 @@ profile mkinitramfs @{exec_path} {
  capability fsetid,

  @{exec_path} r,
-  @{sh_path}        rix,
+  @{sh_path}   rix,

-  @{bin}/       r,
-  @{lib}/           r,
-  @{lib}64/         r,
+  @{bin}/ r,
+  @{lib}/ r,

  @{bin}/{,e}grep   rix,
  @{bin}/basename   rix,
@ -43,6 +42,7 @@ profile mkinitramfs @{exec_path} {
  @{bin}/mkdir      rix,
  @{bin}/mktemp     rix,
  @{bin}/readlink   rix,
+  @{bin}/realpath   rix,
  @{bin}/rm         rix,
  @{bin}/rmdir      rix,
  @{bin}/sed        rix,
@ -60,6 +60,7 @@ profile mkinitramfs @{exec_path} {
  @{bin}/kmod                 rCx -> kmod,
  @{bin}/ldconfig             rCx -> ldconfig,
  @{bin}/ldd                  rCx -> ldd,
+  @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd,
  @{lib}/ld-linux.so*         rCx -> ldd,

  @{bin}/dpkg          rPx -> child-dpkg,
@ -108,6 +109,8 @@ profile mkinitramfs @{exec_path} {
    include <abstractions/nameservice-strict>

    @{bin}/ldd mr,
+    @{lib}/@{multiarch}/ld-linux-*so* mr,
+    @{lib}/ld-linux.so* mr,

    @{sh_path}        rix,
    @{bin}/kmod mr,
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@ -84,7 +84,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
    capability sys_resource,
    capability net_admin,

-    signal send set=term peer=systemd-tty-ask-password-agent,
+    signal send set=(cont term) peer=systemd-tty-ask-password-agent,

    @{bin}/systemd-tty-ask-password-agent Px,

--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -38,6 +38,7 @@ profile run-parts @{exec_path} {
  /etc/anacrontab                                      r,
  /etc/conf.d/snapper{,**}                             r,
  /etc/default/*                                       r,
+  /etc/profile.d/{,**}                                 r,
  /etc/snapper/configs/root                            r,

  # Crontab
@ -159,6 +160,10 @@ profile run-parts @{exec_path} {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

+    network inet dgram,
+    network inet6 dgram,
+    network netlink raw,
+
    @{sh_path}        rix,
    @{bin}/{e,}grep   rix,
    @{bin}/cat        rix,
@ -169,6 +174,7 @@ profile run-parts @{exec_path} {
    @{bin}/sort       rix,
    @{bin}/tr         rix,
    @{bin}/uname      rix,
+    @{bin}/hostname   rPx,

    @{bin}/snap                                                   rPUx,
    @{lib}/ubuntu-release-upgrader/release-upgrade-motd            rPx,