felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): small update on core upgrade profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-25 01:09:08 +02:00
parent 649d2da8d2
commit 8c526b32c6
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
22 changed files with 94 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/apt
View file

@ -36,7 +36,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
unix bind type=stream addr=@@{udbus}/bus/apt-get/system, unix bind type=stream addr=@@{udbus}/bus/apt-get/system,
unix bind type=stream addr=@@{udbus}/bus/apt/system, unix bind type=stream addr=@@{udbus}/bus/apt/system,
unix type=stream peer=(label=snap), unix type=stream peer=(label=@{p_snap}),
unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
unix (send, receive) type=stream peer=(label=snapd), unix (send, receive) type=stream peer=(label=snapd),

8
apparmor.d/groups/apt/apt-methods-cdrom
View file

@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=synaptic, signal receive peer=synaptic,
@{exec_path} mr, @{exec_path} mr,

8
apparmor.d/groups/apt/apt-methods-copy
View file

@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=synaptic, signal receive peer=synaptic,
@{exec_path} mr, @{exec_path} mr,

10
apparmor.d/groups/apt/apt-methods-file
View file

@ -20,11 +20,11 @@ profile apt-methods-file @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=packagekitd, signal receive peer=@{p_packagekitd},
signal (receive) peer=synaptic, signal receive peer=synaptic,
@{exec_path} mr, @{exec_path} mr,

8
apparmor.d/groups/apt/apt-methods-ftp
View file

@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=synaptic, signal receive peer=synaptic,
@{exec_path} mr, @{exec_path} mr,

12
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -20,12 +20,12 @@ profile apt-methods-gpgv @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=packagekitd, signal receive peer=@{p_packagekitd},
signal (receive) peer=role_*, signal receive peer=role_*,
signal (receive) peer=synaptic, signal receive peer=synaptic,
@{exec_path} mr, @{exec_path} mr,

18
apparmor.d/groups/apt/apt-methods-http
View file

@ -23,15 +23,15 @@ profile apt-methods-http @{exec_path} {
network inet6 stream, network inet6 stream,
network netlink raw, network netlink raw,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=packagekitd, signal receive peer=@{p_packagekitd},
signal (receive) peer=role_*, signal receive peer=role_*,
signal (receive) peer=synaptic, signal receive peer=synaptic,
signal (receive) peer=ubuntu-advantage, signal receive peer=ubuntu-advantage,
signal (receive) peer=unattended-upgrade, signal receive peer=unattended-upgrade,
signal (receive) peer=update-manager, signal receive peer=update-manager,
ptrace (read), ptrace (read),

10
apparmor.d/groups/apt/apt-methods-mirror
View file

@ -20,11 +20,11 @@ profile apt-methods-mirror @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=packagekitd, signal receive peer=@{p_packagekitd},
signal (receive) peer=synaptic, signal receive peer=synaptic,
@{exec_path} mr, @{exec_path} mr,

10
apparmor.d/groups/apt/apt-methods-rred
View file

@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=synaptic, signal receive peer=synaptic,
signal (receive) set=(int) peer=packagekitd, signal receive set=(int) peer=@{p_packagekitd},
@{exec_path} mr, @{exec_path} mr,

8
apparmor.d/groups/apt/apt-methods-rsh
View file

@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=synaptic, signal receive peer=synaptic,
@{exec_path} mr, @{exec_path} mr,

12
apparmor.d/groups/apt/apt-methods-store
View file

@ -20,12 +20,12 @@ profile apt-methods-store @{exec_path} {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (receive) peer=apt-get, signal receive peer=apt-get,
signal (receive) peer=apt, signal receive peer=apt,
signal (receive) peer=aptitude, signal receive peer=aptitude,
signal (receive) peer=packagekitd, signal receive peer=@{p_packagekitd},
signal (receive) peer=role_*, signal receive peer=role_*,
signal (receive) peer=synaptic, signal receive peer=synaptic,
@{exec_path} mr, @{exec_path} mr,

4
apparmor.d/groups/apt/deb-systemd-helper
View file

@ -16,8 +16,8 @@ profile deb-systemd-helper @{exec_path} {
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
/etc/systemd/system/* w, /etc/systemd/system/{,**} rw,
/etc/systemd/user/* w, /etc/systemd/user/{,**} rw,
/var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw,
/var/lib/systemd/deb-systemd-helper-masked/{,**} rw, /var/lib/systemd/deb-systemd-helper-masked/{,**} rw,

2
apparmor.d/groups/grub/grub-install
View file

@ -44,7 +44,7 @@ profile grub-install @{exec_path} flags=(complain) {
@{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
@{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw,
@{sys}/firmware/efi/efivars/Timeout-@{uuid} r, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/fw_platform_size r,
@{sys}/firmware/efi/w_platform_size r, @{sys}/firmware/efi/w_platform_size r,

7
apparmor.d/groups/grub/grub-mkdevicemap
View file

@ -10,9 +10,16 @@ include <tunables/global>
profile grub-mkdevicemap @{exec_path} { profile grub-mkdevicemap @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr, @{exec_path} mr,
@{PROC}/devices r,
/dev/mapper/control rw,
include if exists <local/grub-mkdevicemap> include if exists <local/grub-mkdevicemap>
} }

4
apparmor.d/profiles-a-f/e2scrub_all
View file

@ -17,8 +17,8 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} r, @{sh_path} mr,
@{bin}/readlink rix, @{bin}/readlink ix,
/etc/e2scrub.conf r, /etc/e2scrub.conf r,

41
apparmor.d/profiles-a-f/finalrd
View file

@ -20,27 +20,27 @@ profile finalrd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/cp rix, @{bin}/cp ix,
@{bin}/dirname rix, @{bin}/dirname ix,
@{bin}/env rix, @{bin}/env ix,
@{bin}/find rix, @{bin}/find ix,
@{bin}/grep rix, @{bin}/grep ix,
@{sbin}/ldconfig{,.real} rix, @{bin}/ln ix,
@{bin}/ln rix, @{bin}/mkdir ix,
@{bin}/mkdir rix, @{bin}/mount ix,
@{bin}/mount rix, @{bin}/readlink ix,
@{bin}/readlink rix, @{bin}/realpath ix,
@{bin}/realpath rix, @{bin}/rm ix,
@{bin}/rm rix, @{bin}/run-parts ix,
@{bin}/run-parts rix, @{bin}/sed ix,
@{bin}/sed rix, @{bin}/touch ix,
@{bin}/touch rix, @{sbin}/ldconfig{,.real} ix,
@{bin}/ldd rCx -> ldd, @{bin}/ldd Cx -> ldd,
@{bin}/systemd-tmpfiles rPx, @{bin}/systemd-tmpfiles Px,
@{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd,
@{lib}/systemd/systemd-shutdown rPx, @{lib}/systemd/systemd-shutdown Px,
/usr/share/finalrd/*.finalrd rix, /usr/share/finalrd/*.finalrd ix,
@{bin}/{,*} r, @{bin}/{,*} r,
@{lib}/{,*} r, @{lib}/{,*} r,
@ -65,6 +65,7 @@ profile finalrd @{exec_path} {
profile ldd { profile ldd {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{bin}/* mr, @{bin}/* mr,

2
apparmor.d/profiles-g-l/glib-compile-schemas
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/glib-compile-schemas @{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas
profile glib-compile-schemas @{exec_path} { profile glib-compile-schemas @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

1
apparmor.d/profiles-g-l/landscape-sysinfo
View file

@ -33,6 +33,7 @@ profile landscape-sysinfo @{exec_path} {
/var/log/landscape/{,**} rw, /var/log/landscape/{,**} rw,
@{run}/systemd/sessions/{,*} r,
@{run}/utmp rwk, @{run}/utmp rwk,
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,

4
apparmor.d/profiles-g-l/logrotate
View file

@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
capability setgid, capability setgid,
capability setuid, capability setuid,
signal (send) set=(hup), signal send set=hup,
signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, signal send set=(term cont) peer=systemd-tty-ask-password-agent,
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/profiles-m-r/multipathd
View file

@ -20,7 +20,8 @@ profile multipathd @{exec_path} {
network netlink raw, network netlink raw,
unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"),
unix type=stream addr=@/org/kernel/linux/storage/multipathd,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/profiles-m-r/pycompile
View file

@ -31,6 +31,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) {
/usr/share/python3/{,**} r, /usr/share/python3/{,**} r,
/ r, / r,
@{bin}/ r,
profile dpkg { profile dpkg {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-m-r/qemu-ga
View file

@ -12,7 +12,7 @@ profile qemu-ga @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
audit @{bin}/systemctl Cx -> systemctl, @{bin}/systemctl Cx -> systemctl,
/etc/qemu/qemu-ga.conf r, /etc/qemu/qemu-ga.conf r,