diff --git a/apparmor.d/groups/virt/cockpit-askpass b/apparmor.d/groups/virt/cockpit-askpass new file mode 100644 index 000000000..c49b4e0c0 --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-askpass @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-askpass +profile cockpit-askpass @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge new file mode 100644 index 000000000..d4b4fa0c9 --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -0,0 +1,58 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/cockpit-bridge +profile cockpit-bridge @{exec_path} { + include + include + include + include + + capability dac_read_search, + capability sys_nice, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + + signal (send) set=term peer=dbus-daemon, + signal (send) set=term peer=ssh-agent, + signal (send) set=term peer=sudo, + signal (send) set=term peer=unconfined, + + @{exec_path} mr, + + /{usr/,}bin/journalctl rPx, + + /usr/share/cockpit/{,**} r, + + /etc/cockpit/{,**} r, + /etc/machine-id r, + /etc/motd r, + /etc/shadow r, + + owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, + + @{run}/systemd/userdb/ r, + @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, + @{run}/utmp r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/1/cgroup r, + @{PROC}/diskstats r, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/uptime r, + + /dev/ptmx rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-certificate-ensure b/apparmor.d/groups/virt/cockpit-certificate-ensure new file mode 100644 index 000000000..226e1a955 --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-certificate-ensure @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-certificate-ensure +profile cockpit-certificate-ensure @{exec_path} { + include + + @{exec_path} mr, + + /etc/cockpit/ws-certs.d/{,*} r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper new file mode 100644 index 000000000..85f029cee --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-certificate-helper +profile cockpit-certificate-helper @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop new file mode 100644 index 000000000..0ad1798fd --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-desktop +profile cockpit-desktop @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session new file mode 100644 index 000000000..d5589ffa3 --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-session @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-session +profile cockpit-session @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability audit_write, + capability dac_read_search, + capability net_admin, + capability setgid, + capability setuid, + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/{,z,ba,da}sh rix, + /{usr/,}bin/cockpit-bridge rPx, + + /etc/environment r, + /etc/group r, + /etc/motd r, + /etc/security/limits.d/{,*.conf} r, + /etc/shells r, + + @{run}/faillock/[a-zA-z0-9]* rwk, + @{run}/systemd/sessions/[0-9].ref rw, + @{run}/systemd/userdb/ r, + @{run}/utmp rwk, + + /var/log/btmp rw, + /var/log/lastlog rw, + /var/log/wtmp rwk, + + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-ssh b/apparmor.d/groups/virt/cockpit-ssh new file mode 100644 index 000000000..4ac87225e --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-ssh @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-ssh +profile cockpit-ssh @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls new file mode 100644 index 000000000..d742fbaa1 --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-tls @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-tls +profile cockpit-tls @{exec_path} { + include + + network inet6 stream, + + @{exec_path} mr, + + /etc/cockpit/ws-certs.d/{,**} r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws new file mode 100644 index 000000000..bea2a2c51 --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-ws @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-ws +profile cockpit-ws @{exec_path} { + include + + @{exec_path} mr, + + /{usr/,}lib/cockpit/cockpit-session rPx, + + /usr/share/cockpit/{,**} r, + /etc/cockpit/ws-certs.d/ r, + + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory new file mode 100644 index 000000000..6b0ece471 --- /dev/null +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/cockpit/cockpit-wsinstance-factory +profile cockpit-wsinstance-factory @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/profiles.flags b/profiles.flags index 4d5bb217f..0a7ade4b6 100644 --- a/profiles.flags +++ b/profiles.flags @@ -12,7 +12,16 @@ bootctl complain borg complain cfdisk complain cgdisk complain - +cockpit-askpass complain +cockpit-bridge complain +cockpit-certificate-ensure complain +cockpit-certificate-helper complain +cockpit-desktop complain +cockpit-session attach_disconnected,complain +cockpit-ssh complain +cockpit-tls complain +cockpit-ws complain +cockpit-wsinstance-factory complain dbus-daemon-launch-helper complain dbus-run-session complain dkms complain