From 9d81f5e88fa7c8ba2ba3cd8338d9664aeb3a135b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 14 Jun 2022 19:06:34 +0100
Subject: [PATCH] feat(profiles): reorganise the cron & run-parts profiles.

---
 apparmor.d/groups/cron/cron         |  95 ++++-----------------
 apparmor.d/groups/cron/cron-anacron |  19 +++++
 apparmor.d/groups/cron/cron-apport  |  22 +++++
 apparmor.d/profiles-m-r/run-parts   | 126 ++++++++++++++++++++++------
 4 files changed, 157 insertions(+), 105 deletions(-)
 create mode 100644 apparmor.d/groups/cron/cron-anacron
 create mode 100644 apparmor.d/groups/cron/cron-apport

diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron
index f222d87c3..3c77eca7b 100644
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@@ -10,14 +10,15 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/cron
 profile cron @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
+  include <abstractions/app-launcher-root>
   include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
-  capability setuid,
-  capability setgid,
-  capability dac_read_search,
   capability audit_write,
+  capability dac_read_search,
+  capability setgid,
+  capability setuid,
   capability sys_resource,
 
   network netlink raw,
@@ -26,36 +27,21 @@ profile cron @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/nice       rix,
-  /{usr/,}bin/ionice     rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/nice        rix,
+  /{usr/,}bin/ionice      rix,
+  /{usr/,}bin/run-parts   rPx,
 
-  /etc/crontab r,
-
-  # All stuff that is executed via the /etc/cron.d/ dir
-  /etc/cron.d/{,*} r,
-  /{usr/,}sbin/cron-apt                 rPx,
-  /{usr/,}bin/debsecan                  rPx,
   /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
-  /{usr/,}sbin/e2scrub_all             rPUx,
-  /etc/cron.daily/popularity-contest    rPx,
   /{usr/,}lib/sysstat/debian-sa1       rPUx,
-  /{usr/,}{s,}bin/sendmail             rPUx,
-
-  # All stuff that is executed via the user crontab files
-  /{usr/,}bin/apt-file                  rPx,
-  /{usr/,}bin/apt-key                   rPx,
-  /{usr/,}bin/rsync                    rPUx,
   /usr/share/rsync/scripts/rrsync      rPUx,
-  /{usr/,}bin/gpg                       rPx,
-  /{usr/,}sbin/update-pciids            rPx,
-  /{usr/,}bin/borg                      rPx,
+  /usr/local/lib/pki/pki-realm         rPUx,  # TODO: FIXME: NO COMMIT ZENFRA ONLY
 
-  # Cron scripts in the /etc/cron.*/ dir to execute
-  /{usr/,}bin/run-parts                 rCx -> run-parts,
-
-  # Send results using email
-  /{usr/,}sbin/exim4                    rPx,
+  /etc/cron.d/{,*} r,
+  /etc/crontab r,
+  /etc/default/locale r,
+  /etc/environment r,
+  /etc/security/limits.d/{,**} r,
 
   /var/spool/cron/crontabs/{,*} r,
 
@@ -66,56 +52,7 @@ profile cron @{exec_path} {
 
   owner @{PROC}/@{pid}/uid_map r,
   owner @{PROC}/@{pid}/loginuid rw,
-
-  /etc/environment r,
-
-  /etc/default/locale r,
-
-  @{PROC}/1/limits r,
-  /etc/security/limits.d/ r,
-
-  profile run-parts {
-    include <abstractions/base>
-
-    /{usr/,}bin/run-parts mr,
-
-    /etc/cron.{hourly,daily,weekly,monthly}/                     r,
-    /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs         rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions    rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils        rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/checksecurity       rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/debtags              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/exim4-base           rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/logrotate            rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/mlocate              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/dlocate              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/plocate              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/passwd              rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/apt-compat           rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/aptitude             rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/debsums              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/dpkg                rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/man-db               rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest   rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/sysstat              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/spamassassin        rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/vrms                rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index     rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/tor                 rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime     rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/etckeeper            rPx,
-
-    #/etc/cron.{hourly,daily,weekly,monthly}/opera-browser                     rPUx,
-    #/etc/cron.{hourly,daily,weekly,monthly}/google-chrome{,-beta,-unstable}   rPUx,
-    #/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx,
-    #/opt/brave.com/brave/cron/brave-browser{,-beta,-dev}                      rPUx,
-    #/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev}         rPUx,
-
-    # file_inherit
-    owner /tmp/#[0-9]*[0-9] rw,
-
-    include if exists <local/cron_run-parts>
-  }
+        @{PROC}/1/limits r,
 
   include if exists <local/cron>
 }
diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron
new file mode 100644
index 000000000..f4aa8d127
--- /dev/null
+++ b/apparmor.d/groups/cron/cron-anacron
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/0anacron
+profile cron-anacron @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} r,
+
+  /{usr/,}bin/{,ba,da}sh            rix,
+  /{usr/,}{s,}bin/anacron           rPx,
+
+  include if exists <local/cron-anacron>
+}
diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport
new file mode 100644
index 000000000..387fa9386
--- /dev/null
+++ b/apparmor.d/groups/cron/cron-apport
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apport
+profile cron-apport @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} r,
+
+  /{usr/,}bin/{,ba,da}sh            rix,
+  /{usr/,}bin/find                  rix,
+
+  / r,
+  /var/crash/ r,
+
+  include if exists <local/cron-apport>
+}
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index ee622d5ab..f3a048c43 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -14,59 +14,130 @@ profile run-parts @{exec_path} {
 
   @{exec_path} mr,
 
-  # This is for motd PAM module (see: /etc/pam.d/login) when "noupdate" isn't specified
+  # Crontrab
+  /etc/cron.{hourly,daily,weekly,monthly}/                     r,
+  /etc/cron.{hourly,daily,weekly,monthly}/0anacron             rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apport               rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apt-compat           rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs         rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions    rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index     rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/aptitude             rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils        rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/checksecurity       rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime     rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/debsums              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/debtags              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/dlocate              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/dpkg                rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/etckeeper            rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/exim4-base           rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/logrotate            rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/man-db               rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/mlocate              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/passwd              rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/plocate              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest   rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/spamassassin        rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/sysstat              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/tor                 rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/vrms                rPUx,
+
+  # Network
+  /etc/network/if-down.d/ r,
+  /etc/network/if-down.d/openvpn             rPUx,
+  /etc/network/if-down.d/resolvconf          rPUx,
+  /etc/network/if-down.d/wpasupplicant       rPUx,
+
+  /etc/hostapd/ifupdown.sh                   rPUx,
+  /etc/macchanger/ifupdown.sh                rPUx,
+  /etc/wpa_supplicant/ifupdown.sh            rPUx,
+
+  /etc/network/if-post-down.d/ r,
+  /etc/network/if-post-down.d/bridge         rPUx,
+  /etc/network/if-post-down.d/chrony         rPUx,
+  /etc/network/if-post-down.d/hostapd        rPUx,
+  /etc/network/if-post-down.d/ifenslave      rPUx,
+  /etc/network/if-post-down.d/macchanger     rPUx,
+  /etc/network/if-post-down.d/wireless-tools rPUx,
+  /etc/network/if-post-down.d/wpasupplicant  rPUx,
+
+  /etc/network/if-pre-up.d/ r,
+  /etc/network/if-pre-up.d/bridge            rPUx,
+  /etc/network/if-pre-up.d/ethtool           rPUx,
+  /etc/network/if-pre-up.d/hostapd           rPUx,
+  /etc/network/if-pre-up.d/ifenslave         rPUx,
+  /etc/network/if-pre-up.d/macchanger        rPUx,
+  /etc/network/if-pre-up.d/random-secret     rPUx,
+  /etc/network/if-pre-up.d/wireless-tools    rPUx,
+  /etc/network/if-pre-up.d/wpasupplicant     rPUx,
+
+  /etc/network/if-up.d/ r,
+  /etc/network/if-up.d/*resolvconf           rPUx,
+  /etc/network/if-up.d/avahi-autoipd         rPUx,
+  /etc/network/if-up.d/chrony                rPUx,
+  /etc/network/if-up.d/ethtool               rPUx,
+  /etc/network/if-up.d/ifenslave             rPUx,
+  /etc/network/if-up.d/openvpn               rPUx,
+  /etc/network/if-up.d/wpasupplicant         rPUx,
+
+  # Motd
   /etc/update-motd.d/ r,
   /etc/update-motd.d/[0-9]*-[a-z]* rCx -> motd,
 
-  # The "/etc/kernel/" dirs are for the pre/post scripts of the linux-{header,image} packages
+  # Kernel 
   /etc/kernel/header_postinst.d/ r,
-  /etc/kernel/header_postinst.d/dkms      rCx -> kernel-pre-post,
+  /etc/kernel/header_postinst.d/dkms          rCx -> kernel,
 
   /etc/kernel/postinst.d/ r,
-  /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel-pre-post,
-  /etc/kernel/postinst.d/dkms             rCx -> kernel-pre-post,
-  /etc/kernel/postinst.d/initramfs-tools  rCx -> kernel-pre-post,
-  /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel-pre-post,
-  /etc/kernel/postinst.d/zz-update-grub   rCx -> kernel-pre-post,
+  /etc/kernel/postinst.d/apt-auto-removal     rCx -> kernel,
+  /etc/kernel/postinst.d/dkms                 rCx -> kernel,
+  /etc/kernel/postinst.d/initramfs-tools      rCx -> kernel,
+  /etc/kernel/postinst.d/unattended-upgrades  rCx -> kernel,
+  /etc/kernel/postinst.d/zz-update-grub       rCx -> kernel,
 
   /etc/kernel/postrm.d/ r,
-  /etc/kernel/postrm.d/initramfs-tools    rCx -> kernel-pre-post,
-  /etc/kernel/postrm.d/zz-update-grub     rCx -> kernel-pre-post,
+  /etc/kernel/postrm.d/initramfs-tools        rCx -> kernel,
+  /etc/kernel/postrm.d/zz-update-grub         rCx -> kernel,
 
   /etc/kernel/preinst.d/ r,
-  /etc/kernel/preinst.d/intel-microcode   rCx -> kernel-pre-post,
+  /etc/kernel/preinst.d/intel-microcode       rCx -> kernel,
 
   /etc/kernel/prerm.d/ r,
-  /etc/kernel/prerm.d/dkms                rCx -> kernel-pre-post,
-
-  /etc/molly-guard/run.d/ r,
-  /etc/cron.hourly/ r,
+  /etc/kernel/prerm.d/dkms                    rCx -> kernel,
 
   owner /tmp/#[0-9]*[0-9] rw,
-
+  owner /tmp/file* rw,
 
   profile motd {
     include <abstractions/base>
 
-    / r,
-    /etc/update-motd.d/[0-9]*-[a-z]* r,
-
     /{usr/,}bin/{,ba,da}sh rix,
     /{usr/,}bin/cat        rix,
+    /{usr/,}bin/cut        rix,
+    /{usr/,}bin/find       rix,
+    /{usr/,}bin/grep       rix,
+    /{usr/,}bin/id         rix,
     /{usr/,}bin/tr         rix,
     /{usr/,}bin/uname      rix,
 
+    /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd       rPx,
+    /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot         rPx,
+    /{usr/,}lib/update-notifier/update-motd-reboot-required        rix,
     /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix,
 
+    / r,
+    /etc/lsb-release r,
+    /etc/update-motd.d/[0-9]*-[a-z]* r,
+
+    /var/lib/update-notifier/updates-available r,
+
   }
 
-  profile kernel-pre-post {
+  profile kernel {
     include <abstractions/base>
     include <abstractions/consoles>
 
-    /etc/kernel/header_postinst.d/* r,
-    /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
-
     /{usr/,}bin/{,ba,da}sh rix,
     /{usr/,}bin/{,e}grep   rix,
     /{usr/,}bin/cat        rix,
@@ -85,17 +156,20 @@ profile run-parts @{exec_path} {
     /{usr/,}bin/uname      rix,
     /{usr/,}bin/which{,.debianutils}      rix,
 
+    /{usr/,}{s,}bin/dkms                 rPx,
+    /{usr/,}{s,}bin/update-grub          rPUx,
+    /{usr/,}{s,}bin/update-initramfs     rPx,
     /{usr/,}bin/apt-config               rPx,
     /{usr/,}bin/dpkg                     rPx -> child-dpkg,
     /{usr/,}bin/systemd-detect-virt      rPx,
     /{usr/,}lib/dkms/dkms_autoinstaller  rPx,
-    /{usr/,}sbin/dkms                    rPx,
-    /{usr/,}sbin/update-grub             rPUx,
-    /{usr/,}sbin/update-initramfs        rPx,
 
     /{usr/,}lib/modules/*/updates/ w,
     /{usr/,}lib/modules/*/updates/dkms/ w,
 
+    /etc/kernel/header_postinst.d/* r,
+    /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
+
     # For shell pwd
     / r,
     /boot/ r,