felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): small update on core upgrade profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-25 01:09:08 +02:00
parent 649d2da8d2
commit 8c526b32c6
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
22 changed files with 94 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/apt
View file

@ -36,7 +36,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
unix bind type=stream addr=@@{udbus}/bus/apt-get/system,
unix bind type=stream addr=@@{udbus}/bus/apt/system,
unix type=stream peer=(label=snap),
unix type=stream peer=(label=@{p_snap}),
unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
unix (send, receive) type=stream peer=(label=snapd),

8
apparmor.d/groups/apt/apt-methods-cdrom
View file

@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal receive peer=apt,
signal receive peer=apt-get,
signal receive peer=aptitude,
signal receive peer=synaptic,
@{exec_path} mr,

8
apparmor.d/groups/apt/apt-methods-copy
View file

@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal receive peer=apt,
signal receive peer=apt-get,
signal receive peer=aptitude,
signal receive peer=synaptic,
@{exec_path} mr,

10
apparmor.d/groups/apt/apt-methods-file
View file

@ -20,11 +20,11 @@ profile apt-methods-file @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=packagekitd,
signal (receive) peer=synaptic,
signal receive peer=apt-get,
signal receive peer=apt,
signal receive peer=aptitude,
signal receive peer=@{p_packagekitd},
signal receive peer=synaptic,
@{exec_path} mr,

8
apparmor.d/groups/apt/apt-methods-ftp
View file

@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal receive peer=apt,
signal receive peer=apt-get,
signal receive peer=aptitude,
signal receive peer=synaptic,
@{exec_path} mr,

12
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -20,12 +20,12 @@ profile apt-methods-gpgv @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=packagekitd,
signal (receive) peer=role_*,
signal (receive) peer=synaptic,
signal receive peer=apt-get,
signal receive peer=apt,
signal receive peer=aptitude,
signal receive peer=@{p_packagekitd},
signal receive peer=role_*,
signal receive peer=synaptic,
@{exec_path} mr,

18
apparmor.d/groups/apt/apt-methods-http
View file

@ -23,15 +23,15 @@ profile apt-methods-http @{exec_path} {
network inet6 stream,
network netlink raw,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=packagekitd,
signal (receive) peer=role_*,
signal (receive) peer=synaptic,
signal (receive) peer=ubuntu-advantage,
signal (receive) peer=unattended-upgrade,
signal (receive) peer=update-manager,
signal receive peer=apt-get,
signal receive peer=apt,
signal receive peer=aptitude,
signal receive peer=@{p_packagekitd},
signal receive peer=role_*,
signal receive peer=synaptic,
signal receive peer=ubuntu-advantage,
signal receive peer=unattended-upgrade,
signal receive peer=update-manager,
ptrace (read),

10
apparmor.d/groups/apt/apt-methods-mirror
View file

@ -20,11 +20,11 @@ profile apt-methods-mirror @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=packagekitd,
signal (receive) peer=synaptic,
signal receive peer=apt-get,
signal receive peer=apt,
signal receive peer=aptitude,
signal receive peer=@{p_packagekitd},
signal receive peer=synaptic,
@{exec_path} mr,

10
apparmor.d/groups/apt/apt-methods-rred
View file

@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal (receive) set=(int) peer=packagekitd,
signal receive peer=apt,
signal receive peer=apt-get,
signal receive peer=aptitude,
signal receive peer=synaptic,
signal receive set=(int) peer=@{p_packagekitd},
@{exec_path} mr,

8
apparmor.d/groups/apt/apt-methods-rsh
View file

@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt,
signal (receive) peer=apt-get,
signal (receive) peer=aptitude,
signal (receive) peer=synaptic,
signal receive peer=apt,
signal receive peer=apt-get,
signal receive peer=aptitude,
signal receive peer=synaptic,
@{exec_path} mr,

12
apparmor.d/groups/apt/apt-methods-store
View file

@ -20,12 +20,12 @@ profile apt-methods-store @{exec_path} {
capability setgid,
capability setuid,
signal (receive) peer=apt-get,
signal (receive) peer=apt,
signal (receive) peer=aptitude,
signal (receive) peer=packagekitd,
signal (receive) peer=role_*,
signal (receive) peer=synaptic,
signal receive peer=apt-get,
signal receive peer=apt,
signal receive peer=aptitude,
signal receive peer=@{p_packagekitd},
signal receive peer=role_*,
signal receive peer=synaptic,
@{exec_path} mr,

4
apparmor.d/groups/apt/deb-systemd-helper
View file

@ -16,8 +16,8 @@ profile deb-systemd-helper @{exec_path} {
@{bin}/systemctl rCx -> systemctl,
/etc/systemd/system/* w,
/etc/systemd/user/* w,
/etc/systemd/system/{,**} rw,
/etc/systemd/user/{,**} rw,
/var/lib/systemd/deb-systemd-helper-enabled/{,**} rw,
/var/lib/systemd/deb-systemd-helper-masked/{,**} rw,

2
apparmor.d/groups/grub/grub-install
View file

@ -44,7 +44,7 @@ profile grub-install @{exec_path} flags=(complain) {
@{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
@{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw,
@{sys}/firmware/efi/efivars/Timeout-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r,
@{sys}/firmware/efi/w_platform_size r,

7
apparmor.d/groups/grub/grub-mkdevicemap
View file

@ -10,9 +10,16 @@ include <tunables/global>
profile grub-mkdevicemap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
capability sys_admin,
@{exec_path} mr,
@{PROC}/devices r,
/dev/mapper/control rw,
include if exists <local/grub-mkdevicemap>
}

4
apparmor.d/profiles-a-f/e2scrub_all
View file

@ -17,8 +17,8 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{sh_path} r,
@{bin}/readlink rix,
@{sh_path} mr,
@{bin}/readlink ix,
/etc/e2scrub.conf r,

41
apparmor.d/profiles-a-f/finalrd
View file

@ -20,27 +20,27 @@ profile finalrd @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cp rix,
@{bin}/dirname rix,
@{bin}/env rix,
@{bin}/find rix,
@{bin}/grep rix,
@{sbin}/ldconfig{,.real} rix,
@{bin}/ln rix,
@{bin}/mkdir rix,
@{bin}/mount rix,
@{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/rm rix,
@{bin}/run-parts rix,
@{bin}/sed rix,
@{bin}/touch rix,
@{bin}/cp ix,
@{bin}/dirname ix,
@{bin}/env ix,
@{bin}/find ix,
@{bin}/grep ix,
@{bin}/ln ix,
@{bin}/mkdir ix,
@{bin}/mount ix,
@{bin}/readlink ix,
@{bin}/realpath ix,
@{bin}/rm ix,
@{bin}/run-parts ix,
@{bin}/sed ix,
@{bin}/touch ix,
@{sbin}/ldconfig{,.real} ix,
@{bin}/ldd rCx -> ldd,
@{bin}/systemd-tmpfiles rPx,
@{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd,
@{lib}/systemd/systemd-shutdown rPx,
/usr/share/finalrd/*.finalrd rix,
@{bin}/ldd Cx -> ldd,
@{bin}/systemd-tmpfiles Px,
@{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd,
@{lib}/systemd/systemd-shutdown Px,
/usr/share/finalrd/*.finalrd ix,
@{bin}/{,*} r,
@{lib}/{,*} r,
@ -65,6 +65,7 @@ profile finalrd @{exec_path} {
profile ldd {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
@{bin}/* mr,

2
apparmor.d/profiles-g-l/glib-compile-schemas
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/glib-compile-schemas
@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas
profile glib-compile-schemas @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

1
apparmor.d/profiles-g-l/landscape-sysinfo
View file

@ -33,6 +33,7 @@ profile landscape-sysinfo @{exec_path} {
/var/log/landscape/{,**} rw,
@{run}/systemd/sessions/{,*} r,
@{run}/utmp rwk,
@{sys}/class/hwmon/ r,

4
apparmor.d/profiles-g-l/logrotate
View file

@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
capability setgid,
capability setuid,
signal (send) set=(hup),
signal (send) set=(term cont) peer=systemd-tty-ask-password-agent,
signal send set=hup,
signal send set=(term cont) peer=systemd-tty-ask-password-agent,
@{exec_path} mr,

3
apparmor.d/profiles-m-r/multipathd
View file

@ -20,7 +20,8 @@ profile multipathd @{exec_path} {
network netlink raw,
unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"),
unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"),
unix type=stream addr=@/org/kernel/linux/storage/multipathd,
@{exec_path} mr,

1
apparmor.d/profiles-m-r/pycompile
View file

@ -31,6 +31,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) {
/usr/share/python3/{,**} r,
/ r,
@{bin}/ r,
profile dpkg {
include <abstractions/base>

2
apparmor.d/profiles-m-r/qemu-ga
View file

@ -12,7 +12,7 @@ profile qemu-ga @{exec_path} {
@{exec_path} mr,
audit @{bin}/systemctl Cx -> systemctl,
@{bin}/systemctl Cx -> systemctl,
/etc/qemu/qemu-ga.conf r,