refractor: moce a lot of profiles inside they own groups.

2025-02-09 21:46:10 +01:00 · 2025-02-09 21:46:10 +01:00 · 9304c9a668
commit 9304c9a668
parent e5aad04be4
61 changed files with 1 additions and 9 deletions
--- a/apparmor.d/groups/apparmor/aa-enabled
+++ b/apparmor.d/groups/apparmor/aa-enabled
@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/aa-enabled
+profile aa-enabled @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  @{sys}/module/apparmor/parameters/enabled r,
+
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/aa-enabled>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apparmor/aa-enforce
+++ b/apparmor.d/groups/apparmor/aa-enforce
@ -0,0 +1,41 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable
+profile aa-enforce @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  @{bin}/ r,
+  @{bin}/apparmor_parser     rPx,
+
+  /usr/share/terminfo/** r,
+
+  /etc/apparmor/logprof.conf r,
+  /etc/apparmor.d/{,**} rw,
+
+  @{etc_ro}/inputrc r,
+  @{etc_ro}/inputrc.keys r,
+
+  owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
+  owner /var/lib/snapd/apparmor/{,**} rw,
+
+  owner @{tmp}/@{rand8} rw,
+  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
+
+  @{PROC}/@{pid}/fd/ r,
+
+  include if exists <local/aa-enforce>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apparmor/aa-log
+++ b/apparmor.d/groups/apparmor/aa-log
@ -0,0 +1,37 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/aa-log
+profile aa-log @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  @{bin}/journalctl rix,
+
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
+  /var/log/audit/* r,
+  /var/log/syslog* r,
+
+  /{run,var}/log/journal/ r,
+  /{run,var}/log/journal/@{hex32}/{,*} r,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  /dev/tty@{int} rw,
+
+  include if exists <local/aa-log>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apparmor/aa-notify
+++ b/apparmor.d/groups/apparmor/aa-notify
@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/aa-notify
+profile aa-notify @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+
+  capability setgid,
+  capability setuid,
+  capability sys_ptrace,
+
+  ptrace read,
+
+  @{exec_path} mr,
+
+  @{bin}/ r,
+
+  /usr/share/terminfo/** r,
+
+  @{etc_ro}/inputrc r,
+  @{etc_ro}/inputrc.keys r,
+  /etc/apparmor.d/{,**} r,
+  /etc/apparmor/*.conf r,
+
+  /var/log/audit/audit.log r,
+
+  owner @{HOME}/.inputrc r,
+  owner @{HOME}/.terminfo/@{int}/dumb r,
+
+  owner @{tmp}/@{word8} rw,
+  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
+
+  @{PROC}/ r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/cmdline r,
+
+  include if exists <local/aa-notify>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apparmor/aa-status
+++ b/apparmor.d/groups/apparmor/aa-status
@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status
+profile aa-status @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+  capability sys_ptrace,
+
+  ptrace read,
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/security/apparmor/profiles r,
+  @{sys}/module/apparmor/parameters/enabled r,
+
+        @{PROC}/ r,
+        @{PROC}/@{pids}/attr/apparmor/current r,
+        @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/tty@{int} rw,
+
+  include if exists <local/aa-status>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apparmor/aa-teardown
+++ b/apparmor.d/groups/apparmor/aa-teardown
@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/aa-teardown
+profile aa-teardown @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  @{sh_path}        rix,
+  @{lib}/apparmor/apparmor.systemd rPx,
+
+  /usr/share/terminfo/** r,
+
+  /dev/tty rw,
+
+  include if exists <local/aa-teardown>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apparmor/aa-unconfined
+++ b/apparmor.d/groups/apparmor/aa-unconfined
@ -0,0 +1,44 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/aa-unconfined
+profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+
+  capability dac_read_search,
+  capability sys_ptrace,
+
+  ptrace read,
+
+  @{exec_path} mr,
+
+  @{bin}/          r,
+  @{bin}/netstat  Px,
+  @{bin}/ss       Px,
+
+  /usr/share/terminfo/** r,
+
+  /etc/apparmor/logprof.conf r,
+  @{etc_ro}/inputrc r,
+
+  owner @{tmp}/@{rand8} rw,
+  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
+  owner /var/tmp/@{rand8} rw,
+
+        @{PROC}/ r,
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pids}/attr/apparmor/current r,
+        @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/aa-unconfined>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apparmor/apparmor.systemd
+++ b/apparmor.d/groups/apparmor/apparmor.systemd
@ -0,0 +1,53 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/apparmor/apparmor.systemd
+profile apparmor.systemd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+  capability mac_admin,
+
+  @{exec_path} mr,
+
+  @{sh_path}                  rix,
+  @{bin}/{,e}grep             rix,
+  @{bin}/aa-status            rPx,
+  @{bin}/apparmor_parser      rPx,
+  @{bin}/getconf              rix,
+  @{bin}/ls                   rix,
+  @{bin}/sed                  rix,
+  @{bin}/cat                  rix,
+  @{bin}/sort                 rix,
+  @{bin}/sysctl               rix,
+  @{bin}/systemd-detect-virt  rPx,
+  @{bin}/xargs                rix,
+
+  @{lib}/apparmor/rc.apparmor.functions r,
+
+  /etc/apparmor.d/ r,
+
+  @{sys}/fs/cgroup/systemd/ r,
+  @{sys}/kernel/security/apparmor/{,**} r,
+  @{sys}/kernel/security/apparmor/.remove rw,
+  @{sys}/module/apparmor/ r,
+
+  @{PROC}/@{pids}/fd/ r,
+  @{PROC}/@{pids}/maps r,
+  @{PROC}/@{pids}/mounts r,
+  @{PROC}/mounts r,
+  @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
+
+  /dev/tty rw,
+
+  include if exists <local/apparmor.systemd>
+}
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apparmor/apparmor_parser
+++ b/apparmor.d/groups/apparmor/apparmor_parser
@ -0,0 +1,54 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
+
+@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
+profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability mac_admin,
+
+  @{exec_path} mr,
+
+  @{lib_dirs}/@{multiarch}/** mr,
+  @{lib_dirs}/snapd/apparmor.d/{,**} r,
+  @{lib_dirs}/snapd/apparmor/{,**} r,
+
+  /etc/apparmor.d/{,**} r,
+  /etc/apparmor.d/cache.d/{,**} rw,
+  /etc/apparmor/{,**} r,
+  /etc/apparmor/cache.d/{,**} rw,
+  /etc/apparmor/earlypolicy/{,**} rw,
+
+  /usr/share/apparmor-features/{,**} r,
+  /usr/share/apparmor/{,**} r,
+
+  owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} r,
+  owner /snap/core@{int}/@{int}/etc/apparmor/* r,
+  owner /var/cache/apparmor/{,**} rw,
+  owner /var/lib/docker/tmp/docker-default@{int} r,
+  owner /var/lib/snapd/apparmor/{,**} r,
+  owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,
+
+  owner @{tmp}/cri-containerd.apparmor.d@{int} r,
+
+        @{sys}/kernel/security/apparmor/{,**} r,
+  owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
+
+        @{PROC}/sys/kernel/osrelease r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  deny network netlink raw, # file_inherit
+  deny /apparmor/.null rw,
+
+  include if exists <local/apparmor_parser>
+}
+
+# vim:syntax=apparmor