LVM and general update (#68)

* Small fixes * General update * Add LVM * Various small fixes * Add profile * Typo * sbin to regex * Date and time to extends * Read cmdline * Remove grep duplicate * Small fixes * Typo * Permissions for warning scripts * Add net_admin for multipath
2022-09-06 23:01:17 +02:00 · 2022-09-06 23:01:17 +02:00 · 9818daba5f
commit 9818daba5f
parent 1649b427f8
19 changed files with 237 additions and 49 deletions
--- a/apparmor.d/profiles-a-f/blkdeactivate
+++ b/apparmor.d/profiles-a-f/blkdeactivate
@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/blkdeactivate
+profile blkdeactivate @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} rm,
+  /{usr/,}{s,}bin/dmsetup rPUx,
+  /{usr/,}bin/grep rix,
+  /{usr/,}bin/lsblk rPx,
+  /{usr/,}{s,}bin/lvm rPx,
+  /{usr/,}bin/sort rix,
+  /{usr/,}bin/umount rPx,
+
+  @{sys}/devices/virtual/block/*/holders/ r,
+
+  /dev/tty rw,
+
+  include if exists <local/blkdeactivate>
+}
+
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -23,47 +23,46 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  unix (receive) type=stream,

  @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
-
-  /{usr/,}bin/head       rix,
-  /{usr/,}bin/ls         rix,
-  /{usr/,}bin/uname      rix,
-  /{usr/,}bin/nproc      rix,
-  /{usr/,}bin/mktemp     rix,
-  /{usr/,}bin/cut        rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/diff       rix,
-  /{usr/,}bin/wc         rix,
-  /{usr/,}bin/rmdir      rix,
-  /{usr/,}bin/find       rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/{,g,m}awk  rix,
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/date       rix,
-  /{usr/,}bin/ln         rix,
-  /{usr/,}bin/mkdir      rix,
-  /{usr/,}bin/mv         rix,
  /{usr/,}bin/cat        rix,
+  /{usr/,}bin/cp         rix,
+  /{usr/,}bin/cut        rix,
+  /{usr/,}bin/date       rix,
+  /{usr/,}bin/diff       rix,
  /{usr/,}bin/echo       rix,
-  /{usr/,}bin/pwd        rix,
+  /{usr/,}bin/find       rix,
  /{usr/,}bin/getconf    rix,
-  /{usr/,}bin/xargs      rix,
-
-  /{usr/,}bin/make                             rix,
-  /{usr/,}bin/{,@{multiarch}-}*                rix,
-  /{usr/,}lib/gcc/@{multiarch}/[0-9]*/*        rix,
-  /{usr/,}lib/llvm-[0-9]*/bin/clang            rix,
-
-  /{usr/,}bin/kmod        rCx -> kmod,
+  /{usr/,}bin/head       rix,
+  /{usr/,}bin/kmod       rCx -> kmod,
+  /{usr/,}bin/ln         rix,
+  /{usr/,}bin/ls         rix,
  /{usr/,}bin/lsb_release rPx -> lsb_release,
+  /{usr/,}bin/make       rix,
+  /{usr/,}bin/mkdir      rix,
+  /{usr/,}bin/mktemp     rix,
+  /{usr/,}bin/mv         rix,
+  /{usr/,}bin/nproc      rix,
+  /{usr/,}bin/pwd        rix,
+  /{usr/,}bin/readlink   rix,
+  /{usr/,}bin/rm         rix,
+  /{usr/,}bin/rmdir      rix,
+  /{usr/,}bin/sed        rix,
+  /{usr/,}bin/uname      rix,
+  /{usr/,}bin/wc         rix,
+  /{usr/,}bin/xargs      rix,
+  /{usr/,}bin/{,@{multiarch}-}* rix,
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}bin/{,e,f}grep rix,
+  /{usr/,}bin/{,g,m}awk  rix,
+  /{usr/,}{,s}bin/update-secureboot-policy rPUx,

-  /{usr/,}lib/linux-kbuild-*/scripts/** rix,
-  /{usr/,}lib/modules/*/build/scripts/** rix,
-  /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
+  /{usr/,}lib/gcc/@{multiarch}/[0-9]*/*             rix,
+  /{usr/,}lib/linux-kbuild-*/scripts/**             rix,
+  /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool  rix,
+  /{usr/,}lib/llvm-[0-9]*/bin/clang                 rix,
+  /{usr/,}lib/modules/*/build/scripts/**            rix,
  /{usr/,}lib/modules/*/build/tools/objtool/objtool rix,

+  /var/lib/dkms/**/configure rix,
  /var/lib/dkms/**/dkms.postbuild rix,

  / r,
@ -113,6 +112,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {

    @{PROC}/cmdline r,

+    /etc/depmod.d/{,*} r,
+
    /{usr/,}lib/modules/*/modules.* rw,
    /var/lib/dkms/**/module/*.ko r,

--- a/apparmor.d/profiles-a-f/dkms-autoinstaller
+++ b/apparmor.d/profiles-a-f/dkms-autoinstaller
@ -25,6 +25,7 @@ profile dkms-autoinstaller @{exec_path} {
  # For shell pwd
  / r,

+  owner @{PROC}/cmdline r,

  profile run-parts {
    include <abstractions/base>
--- a/apparmor.d/profiles-a-f/dmeventd
+++ b/apparmor.d/profiles-a-f/dmeventd
@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/dmeventd
+profile dmeventd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rm,
+
+  include if exists <local/dmeventd>
+}
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd
 profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
@ -37,7 +38,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {

  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+       member={Changed,GetAll},

  dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
       interface=org.freedesktop.DBus.Properties
@ -52,7 +53,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
       member=GetAll,

  dbus receive bus=system path=/
-       interface=org.freedesktop.fwupd,
+       interface=org.freedesktop.fwupd
+       member=Changed,

  dbus receive bus=system path=/
       interface=org.freedesktop.DBus.Properties