From 96defe021c5bb238ef8f274db2fba7e3eefcbe56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Sep 2024 23:24:15 +0100 Subject: [PATCH] feat(abs): add the pkexec app abs. --- apparmor.d/abstractions/app/pkexec | 39 +++++++++++++++++++ apparmor.d/groups/apt/synaptic | 9 ++++- apparmor.d/groups/gnome/gnome-system-monitor | 3 +- apparmor.d/groups/ubuntu/apport-gtk | 9 ++++- apparmor.d/groups/ubuntu/update-notifier | 11 +++++- .../profiles-a-f/flatpak-session-helper | 9 ++++- apparmor.d/profiles-g-l/gsmartcontrol-root | 9 ++++- apparmor.d/profiles-m-r/pkexec | 32 ++------------- 8 files changed, 85 insertions(+), 36 deletions(-) create mode 100644 apparmor.d/abstractions/app/pkexec diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec new file mode 100644 index 000000000..2c3669bcc --- /dev/null +++ b/apparmor.d/abstractions/app/pkexec @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for pkexec. + + include + include + include + include + include + + capability audit_write, + capability dac_override, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + capability sys_resource, + + network netlink raw, # PAM + + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd + + @{bin}/pkexec mr, + + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, + /etc/shells r, + + owner @{PROC}/@{pid}/loginuid r, + + owner /dev/tty@{int} rw, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 2b8679c2a..6edd79767 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -48,7 +48,7 @@ profile synaptic @{exec_path} { @{bin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/pkexec rPx, + @{bin}/pkexec rCx -> pkexec, @{bin}/ps rPx, @{bin}/software-properties-gtk rPx, @{bin}/tasksel rPx, @@ -110,6 +110,13 @@ profile synaptic @{exec_path} { deny @{bin}/gdbus x, deny @{user_share_dirs}/gvfs-metadata/{*,} r, + profile pkexec { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8e79bd015..4d0a5dd5d 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -82,8 +82,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { profile pkexec { include - - @{bin}/pkexec mr, + include include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0fd5fb7d9..dddb1f890 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -48,7 +48,7 @@ profile apport-gtk @{exec_path} { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/md5sum rix, - @{bin}/pkexec rPx, # TODO: rCx or something + @{bin}/pkexec rCx -> pkexec, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, @@ -124,6 +124,13 @@ profile apport-gtk @{exec_path} { include if exists } + profile pkexec { + include + include + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 999502dbc..0487399fa 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -53,7 +53,7 @@ profile update-notifier @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked + @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/systemctl rCx -> systemctl, @@ -85,6 +85,15 @@ profile update-notifier @{exec_path} { @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + @{lib}/update-notifier/package-system-locked Px, + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper index 54b95b8e3..5f02a2fac 100644 --- a/apparmor.d/profiles-a-f/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -29,7 +29,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, @{bin}/getent rix, @{bin}/p11-kit rix, - @{bin}/pkexec rPx, # TODO: too wide, rCx. + @{bin}/pkexec rCx -> pkexec, @{bin}/printenv rix, @{bin}/ps rPx, @{bin}/test rix, @@ -46,6 +46,13 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + profile pkexec { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 01b7d22e1..565634e10 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -17,7 +17,14 @@ profile gsmartcontrol-root @{exec_path} { @{bin}/which{,.debianutils} rix, - @{bin}/pkexec rPx, + @{bin}/pkexec rCx -> pkexec, + + profile pkexec { + include + include + + include if exists + } include if exists } diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index 49c762df9..d3e47a350 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -8,31 +8,16 @@ abi , include @{exec_path} = @{bin}/pkexec -profile pkexec @{exec_path} { +profile pkexec @{exec_path} flags=(complain) { include - include - include - include - include - include + include - capability audit_write, - capability dac_read_search, - capability net_admin, - capability setgid, # gdbus - capability setuid, # gmain - capability sys_ptrace, - capability sys_resource, - audit deny capability sys_nice, - - network netlink raw, + audit capability sys_nice, signal (send) set=(term, kill) peer=polkit-agent-helper, ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd - @{exec_path} mr, @{bin}/* PUx, @@ -40,22 +25,11 @@ profile pkexec @{exec_path} { /opt/*/** PUx, /usr/share/** PUx, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/shells r, @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid r, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, - - # Silencer - deny @{user_share_dirs}/gvfs-metadata/* r, include if exists }