Profiles update.

2021-10-07 14:50:46 +01:00 · 2021-10-07 14:50:46 +01:00 · 9c8c2144b8
commit 9c8c2144b8
parent f7a08b666d
26 changed files with 186 additions and 136 deletions
--- a/apparmor.d/profiles-a-f/apparmor.systemd
+++ b/apparmor.d/profiles-a-f/apparmor.systemd
@ -9,21 +9,33 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
 profile apparmor.systemd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>

  @{exec_path} mr,

-  /{usr/,}bin/{,ba,da}sh        rix,
-  /{usr/,}{s,}bin/aa-status     rPx,
-  /{usr/,}sbin/apparmor_parser  rPx,
-
+  /{usr/,}bin/{,ba,da}sh           rix,
+  /{usr/,}bin/getconf              rix,
+  /{usr/,}bin/grep                 rix,
+  /{usr/,}bin/ls                   rix,
+  /{usr/,}bin/xargs                rix,
+  /{usr/,}{s,}bin/aa-status        rPx,
+  /{usr/,}{s,}bin/apparmor_parser  rPx,
+  
  /{usr/,}lib/apparmor/rc.apparmor.functions r,

+  /etc/apparmor.d/ r,
+
  @{sys}/fs/cgroup/systemd/ r,
  @{sys}/kernel/security/apparmor/{,**} r,
  @{sys}/module/apparmor/ r,

+  @{PROC}/@{pids}/fd/ r,
+  @{PROC}/@{pids}/maps r,
+  @{PROC}/@{pids}/mounts r,
  @{PROC}/filesystems r,
  @{PROC}/mounts r,

+  /dev/tty rw,
+
  include if exists <local/apparmor.systemd>
 }
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}{s,}bin/dkms
-profile dkms @{exec_path} {
+profile dkms @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

@ -96,6 +96,9 @@ profile dkms @{exec_path} {
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/sys/kernel/osrelease r,

+  # Inherit silencer
+  deny /apparmor/.null rw,
+
  profile kmod {
    include <abstractions/base>
    include <abstractions/consoles>
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -32,6 +32,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  /{usr/,}bin/gpgsm       rCx -> gpg,

  /etc/pki/fwupd/** r,
+  /etc/pki/fwupd-metadata/** r,
  /etc/fwupd/** r,
  /usr/share/fwupd/** r,

@ -73,7 +74,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
  @{sys}/firmware/efi/** r,
  @{sys}/firmware/efi/efivars/BootNext-* rw,
-  @{sys}/firmware/efi/efivars/fwupd-ux-capsule-* rw,
+  @{sys}/firmware/efi/efivars/fwupd-* rw,
  @{sys}/kernel/security/lockdown r,
  @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
  @{sys}/power/mem_sleep r,
@ -90,6 +91,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

+    capability dac_read_search,
+
    /{usr/,}bin/gpg        mr,
    /{usr/,}bin/gpgconf    mr,
    /{usr/,}bin/gpgsm      mr,