felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): merge dpkg-script-* profile into dpkg-scripts.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-14 20:39:38 +02:00
parent 5559670a37
commit 8c66d39a1e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
5 changed files with 4 additions and 226 deletions
Download patch file Download diff file Expand all files Collapse all files

74
apparmor.d/groups/apt/dpkg-script-apparmor
View file

@ -1,74 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# TODO: merge with dpkg-scripts
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/info/apparmor*
profile dpkg-script-apparmor @{exec_path} {
include <abstractions/base>
include <abstractions/common/debconf>
capability dac_read_search,
@{exec_path} mrix,
@{bin}/{,e}grep ix,
@{bin}/cat ix,
@{bin}/chmod ix,
@{bin}/mkdir ix,
@{bin}/deb-systemd-helper Px,
@{bin}/dpkg-maintscript-helper Px,
@{bin}/dpkg Px -> child-dpkg,
@{bin}/deb-systemd-invoke Px,
@{bin}/dpkg-divert ix,
@{bin}/systemctl Cx -> systemctl,
@{sbin}/apparmor_parser Px,
/usr/share/apparmor.d/** rw,
/etc/apparmor.d/** rw,
/var/lib/dpkg/diversions rw,
/var/lib/dpkg/diversions-new rw,
/var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
/var/lib/dpkg/info/*.list r,
/var/lib/dpkg/info/format r,
/var/lib/dpkg/status r,
/var/lib/dpkg/triggers/File r,
/var/lib/dpkg/triggers/Unincorp r,
/var/lib/dpkg/updates/ r,
/var/lib/dpkg/updates/@{int} r,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
capability net_admin,
capability sys_resource,
capability dac_override,
capability dac_read_search,
signal send set=(cont term) peer=systemd-tty-ask-password-agent,
@{bin}/systemd-tty-ask-password-agent rix,
@{run}/user/@{uid}/systemd/ask-password/ rw,
@{run}/user/@{uid}/systemd/ask-password-block/{,*} rw,
owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/{,*} rw,
include if exists <local/dpkg-script-apparmor_systemctl>
}
include if exists <local/dpkg-script-apparmor>
}
# vim:syntax=apparmor

18
apparmor.d/groups/apt/dpkg-script-kmod
View file

@ -1,18 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/info/kmod*
profile dpkg-script-kmod @{exec_path} {
include <abstractions/base>
@{exec_path} mrix,
include if exists <local/dpkg-script-kmod>
}
# vim:syntax=apparmor

56
apparmor.d/groups/apt/dpkg-script-linux
View file

@ -1,56 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/info/linux*
profile dpkg-script-linux @{exec_path} {
include <abstractions/base>
include <abstractions/common/debconf>
capability dac_read_search,
@{exec_path} mrix,
@{bin}/cat ix,
@{bin}/mkdir ix,
@{bin}/rm ix,
@{bin}/run-parts ix,
@{bin}/stty ix,
@{bin}/deb-systemd-helper Px,
@{bin}/deb-systemd-invoke Px,
@{bin}/dpkg-maintscript-helper Px,
@{bin}/dpkg-trigger Px,
@{bin}/kmod Px,
@{bin}/linux-check-removal Px,
@{bin}/linux-update-symlinks Px,
@{bin}/systemctl Cx -> systemctl,
/usr/share/{update,reboot}-notifier/notify-reboot-required Px,
/etc/kernel/{,header_}postinst.d/* Px,
/etc/kernel/postrm.d/* Px,
/etc/kernel/preinst.d/* Px,
/etc/kernel/prerm.d/* Px,
/etc/kernel/*.d/ r,
@{lib}/linux/triggers/* w,
@{lib}/modules/*/.fresh-install w,
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
capability net_admin,
include if exists <local/dpkg-script-linux_systemctl>
}
include if exists <local/dpkg-script-linux>
}
# vim:syntax=apparmor

77
apparmor.d/groups/apt/dpkg-script-systemd
View file

@ -1,77 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /var/lib/dpkg/info/systemd*
profile dpkg-script-systemd @{exec_path} {
include <abstractions/base>
include <abstractions/common/debconf>
capability dac_read_search,
@{exec_path} mrix,
@{coreutils_path} rix,
@{bin}/bootctl Px,
@{bin}/deb-systemd-helper Px,
@{bin}/deb-systemd-invoke Px,
@{bin}/dpkg Cx -> dpkg,
@{bin}/dpkg-divert Px,
@{bin}/dpkg-maintscript-helper Px,
@{bin}/journalctl Px,
@{bin}/kernel-install mrPx,
@{bin}/systemctl Cx -> systemctl,
@{bin}/systemd-machine-id-setup Px,
@{bin}/systemd-sysusers Px,
@{bin}/systemd-tmpfiles Px,
@{lib}/systemd/systemd-sysctl Px,
@{sbin}/pam-auth-update Px,
/etc/systemd/system/*.wants/ rw,
/etc/systemd/system/*.wants/* rw,
/etc/pam.d/sed@{rand6} rw,
/etc/pam.d/common-password rw,
@{efi}/ r,
/var/lib/systemd/{,*} rw,
/var/log/journal/ rw,
profile dpkg {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/common/apt>
capability dac_read_search,
@{bin}/dpkg mr,
/etc/dpkg/dpkg.cfg r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
include if exists <local/dpkg-script-systemd_dpkg>
}
profile systemctl {
include <abstractions/base>
include <abstractions/app/systemctl>
capability net_admin,
capability sys_resource,
signal send set=(cont term) peer=systemd-tty-ask-password-agent,
@{bin}/systemd-tty-ask-password-agent Px,
include if exists <local/dpkg-script-systemd_systemctl>
}
include if exists <local/dpkg-script-systemd>
}
# vim:syntax=apparmor

5
apparmor.d/groups/apt/dpkg-scripts
View file

@ -63,8 +63,10 @@ profile dpkg-scripts @{exec_path} {
/*/ r, /*/ r,
@{bin}/ r, @{bin}/ r,
@{bin}/* w, @{bin}/* w,
@{sbin}/ r,
@{sbin}/* w,
@{lib}/ r, @{lib}/ r,
@{lib}/** w, @{lib}/** wl -> @{lib}/**,
/opt/*/** rw, /opt/*/** rw,
#aa:lint ignore=too-wide #aa:lint ignore=too-wide
@ -80,6 +82,7 @@ profile dpkg-scripts @{exec_path} {
/tmp/grub.@{rand10} rw, /tmp/grub.@{rand10} rw,
/tmp/sed@{rand6} rw, /tmp/sed@{rand6} rw,
/tmp/tmp.@{rand10} rw, /tmp/tmp.@{rand10} rw,
/tmp/updateppds.@{rand6} rw,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mountinfo r,