diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index de381ebcd..27afafef4 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -11,6 +11,10 @@ include profile dbus-daemon @{exec_path} flags=(attach_disconnected) { include include + include + include + include +# include include capability audit_write, @@ -41,7 +45,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, /etc/dbus-1/{,**} r, - /etc/machine-id r, /usr/share/dbus-1/{,**} r, /usr/share/defaults/**.conf r, @@ -63,12 +66,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner /tmp/dbus-[0-9a-zA-Z]* rw, - owner @{run}/user/@{uid}/bus w, owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw, owner @{run}/user/@{uid}/dbus-1/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/userdb/io.systemd.DynamicUser w, @{run}/systemd/users/@{uid} r, @@ -77,7 +79,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/module/apparmor/parameters/enabled r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/attr/apparmor/current r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/@{pids}/cmdline r, @@ -89,5 +91,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { /dev/input/event[0-9]* rw, /dev/tty[0-9]* rw, + unix type=stream addr="@/tmp/dbus-*", + include if exists } diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index 3cd08f480..3c516fd2b 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -9,8 +9,13 @@ include @{exec_path} = /{usr/,}lib/openssh/sftp-server profile sftp-server @{exec_path} { include + include + include + + capability dac_read_search, +# deny capability dac_override, @{exec_path} mr, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 54f2afe98..990d46265 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -45,6 +45,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, + network inet dgram, + network inet6 dgram, + network netlink raw, @{exec_path} mrix, @@ -75,11 +78,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, @{run}/resolvconf/resolv.conf r, - @{run}/systemd/sessions/[0-9]*.ref rw, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/notify w, @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-c[0-9]*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid rw, @@ -95,5 +98,24 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + + # DBus + @{run}/dbus/system_bus_socket rw, + + dbus send + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=org.freedesktop.DBus), + + dbus send + bus=system + path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession} + peer=(name=org.freedesktop.login1), + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 3f72381f8..0a9df1025 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -50,6 +50,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb:* r, @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+sdio:* r, @{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c23[0-9]:[0-9]* r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 55a79fc0f..bfaebacbc 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -7,16 +7,15 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-logind -profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { +profile systemd-logind @{exec_path} flags=(attach_disconnected) { include - include include include include + include capability chown, capability dac_override, - capability dac_read_search, capability fowner, capability sys_admin, capability sys_tty_config, @@ -44,66 +43,120 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:intel_backlight r, - @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs - @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad - @{run}/udev/data/+pci* r, @{run}/udev/data/c10:[0-9]* r, @{run}/udev/data/c116:[0-9]* r, # for ALSA @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* + @{run}/udev/data/c21:[0-9]* r, @{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c29:[0-9]* r, @{run}/udev/data/c50[0-9]:[0-9]* r, @{run}/udev/data/c51[0-9]:[0-9]* r, - @{run}/systemd/inhibit/ rw, - @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/udev/data/+input* r, # for mouse, keyboard, touchpad + @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs + @{run}/udev/data/+backlight:intel_backlight r, + @{run}/udev/data/+pci* r, + @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, - @{run}/systemd/sessions/ rw, - @{run}/systemd/sessions/.#* rw, - @{run}/systemd/sessions/[0-9]*{,.ref} rw, - @{run}/systemd/userdb/ r, + @{run}/systemd/inhibit/ rw, + @{run}/systemd/inhibit/[0-9]*{,.ref} rw, + @{run}/systemd/inhibit/.#* rw, + @{run}/systemd/sessions/ r, + @{run}/systemd/sessions/* rw, + @{run}/systemd/sessions/*.ref rw, @{run}/systemd/users/ rw, - @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, + @{run}/systemd/users/.#* rw, + @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/notify w, - @{run}/systemd/journal/socket rw, - @{run}/systemd/notify rw, + /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) + /dev/dri/card[0-9]* rw, + /dev/tty[0-9]* rw, + /dev/nvme* r, + /dev/shm/{,**/} r, + /dev/mqueue/ r, - @{sys}/class/drm/ r, + @{sys}/module/vt/parameters/default_utf8 r, + @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, + @{sys}/fs/cgroup/memory.max r, + @{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/devices/**/{uevent,enabled,status} r, @{sys}/devices/**/brightness rw, - @{sys}/devices/virtual/tty/tty[0-9]*/active r, - @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, - @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, - @{sys}/fs/cgroup/memory.max r, - @{sys}/fs/cgroup/memory/memory.limit_in_bytes r, - @{sys}/module/vt/parameters/default_utf8 r, + + @{sys}/class/drm/ r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r, + + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, @{PROC}/1/cmdline r, @{PROC}/swaps r, @{PROC}/sysvipc/{shm,sem,msg} r, - /dev/dri/card[0-9]* rw, - /dev/input/event[0-9]* rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/nvme* r, - /dev/shm/{,**/} rw, - /dev/tty[0-9]* rw, + # DBus + # all members for login related, specific for others + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), + + dbus (send, receive) + bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus (send, receive) + bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.Manager" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus (send, receive) + bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.login1.Session" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus receive + bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"), + + dbus (send, receive) + bus="system" path="/org/freedesktop/login1/*" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), + + dbus send + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"), + + dbus receive + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"), + + dbus receive + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), + + dbus receive + bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"), + + dbus send + bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), + + dbus receive + bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + + dbus send + bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"), + + dbus (bind) + bus="system" + name="org.freedesktop.login1", include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 1eb2b263b..7dd0eb071 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -12,12 +12,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { include include include - include capability sys_time, network inet dgram, network inet6 dgram, + network inet stream, + network inet6 stream, @{exec_path} mr, @@ -33,5 +34,19 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify rw, + # dbus-stricter + @{run}/dbus/system_bus_socket rw, + + dbus send + bus=system + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,RequestName} + peer=(name=org.freedesktop.DBus), + + dbus bind + bus=system + name=org.freedesktop.timesync1, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 204a9b3e0..cc7a27e64 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -11,6 +11,8 @@ profile systemd-tty-ask-password-agent @{exec_path} { include include + signal (receive) set=(term cont) peer=logrotate, + @{exec_path} mr, @{run}/systemd/ask-password-block/{,*} rw, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 28b8cc525..969fadb1b 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}sbin/agetty +@{exec_path} = /{usr/,}{s,}bin/agetty profile agetty @{exec_path} { include include @@ -15,6 +15,7 @@ profile agetty @{exec_path} { capability fsetid, capability sys_admin, capability sys_tty_config, + capability chown, @{exec_path} mr, @@ -25,7 +26,9 @@ profile agetty @{exec_path} { owner @{run}/agetty.reload rw, @{run}/resolvconf/resolv.conf r, - /dev/tty[0-9]* rw, + /dev/tty[0-9]* rw, + owner /dev/ttyGS[0-9]* rw, + owner /dev/ttyS[0-9]* rw, include if exists } diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 8a5aef04e..d4a880c58 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -23,6 +23,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { audit deny capability net_admin, signal (send) set=(hup), + signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @@ -36,7 +37,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/zstd rix, /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, - /{usr/,}bin/fail2ban-client rPx, + /{usr/,}bin/fail2ban-client rPx, + /{usr/,}bin/systemd-tty-ask-password-agent rPx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, @@ -51,6 +53,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, + owner @{run}/systemd/private rw, + /etc/ r, /etc/logrotate.conf rk, /etc/logrotate.d/ r, @@ -61,6 +65,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /var/lib/logrotate.status rwk, /var/lib/logrotate.status.tmp rw, + /var/log/ r, /var/log/** rw, # Needed to remove the following error: @@ -86,6 +91,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /dev/kmsg rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index c71fe8e2c..3144bb973 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -13,6 +13,9 @@ profile lsblk @{exec_path} { include include + capability dac_read_search, + deny capability dac_override, + @{exec_path} mr, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree index 1913b203f..a8da63993 100644 --- a/apparmor.d/profiles-m-r/pstree +++ b/apparmor.d/profiles-m-r/pstree @@ -22,8 +22,8 @@ profile pstree @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/cmdline r, include if exists } diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 479f04d82..77fe8d1ef 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -26,8 +26,14 @@ profile rsyslogd @{exec_path} { # for creating new log files and changing their owner/group capability chown, + # downgrade privileges on Ubuntu + capability setgid, + capability setuid, + # Needed? deny capability sys_nice, +# capability sys_ptrace, +# ptrace (read), @{exec_path} mr, @@ -50,5 +56,12 @@ profile rsyslogd @{exec_path} { /etc/CA/*.crt r, /etc/CA/*.key r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + @{run}/systemd/userdb/io.systemd.Machine rw, + @{run}/systemd/notify w, + include if exists }