From a5faf60fbc549e3fb391473ceb09aac3d44e6683 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:37:37 +0200 Subject: [PATCH] feat(profile): add profile for ischroot. --- apparmor.d/groups/apt/apt | 4 ++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- .../groups/ubuntu/list-oem-metapackages | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 +-- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-g-l/ischroot | 21 +++++++++++++++++++ apparmor.d/profiles-m-r/packagekitd | 4 ++-- apparmor.d/profiles-s-z/update-initramfs | 2 +- 13 files changed, 35 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/profiles-g-l/ischroot diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2b103270d..2a0969156 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -67,7 +67,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, - @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -80,14 +79,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, + @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 1307313d9..bb5cd329c 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -41,7 +41,7 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/journalctl rPx, @{sbin}/killall5 rix, @{bin}/kmod rPx, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 1ff6df2ae..bdd2a0f54 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -29,7 +29,7 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 86c211f24..e7d6687d2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -26,7 +26,7 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 75e4279f2..91bc4876f 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -15,7 +15,7 @@ profile list-oem-metapackages @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index e2bb2dc98..d5762a84e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -32,7 +32,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/ubuntu-advantage rPx, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 7d797bd97..34b697732 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - @{bin}/ischroot rix, - @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 44e0cc403..e1636c6d5 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -44,7 +44,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 776cc9bf8..e6a3e7152 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -26,7 +26,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8d1571c1e..ea6318156 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -31,10 +31,10 @@ profile update-notifier @{exec_path} { @{sh_path} rix, @{bin}/ionice rix, - @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot new file mode 100644 index 000000000..c5b848bab --- /dev/null +++ b/apparmor.d/profiles-g-l/ischroot @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ischroot +profile ischroot @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index ca93ade6b..873b4ef7d 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -51,7 +51,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{bin}/ischroot rix, @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @@ -63,7 +62,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, + @{bin}/ischroot rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 51961efb3..f9e47cb52 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -22,7 +22,6 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, - @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @@ -31,6 +30,7 @@ profile update-initramfs @{exec_path} { @{bin}/uname rix, @{bin}/dpkg-trigger rPx, + @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx,