felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): improvement raised by unit tests.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-21 00:24:15 +02:00 committed by Alex
parent c09b5d85a4
commit a731badeff
11 changed files with 77 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

10
apparmor.d/groups/ubuntu/apport
View file

@ -49,7 +49,17 @@ profile apport @{exec_path} flags=(attach_disconnected) {
owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/cache/apt/pkgcache.bin.@{rand6} rw,
owner /var/log/apport.log rw, owner /var/log/apport.log rw,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/system.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
@{run}/apport.lock rwk, @{run}/apport.lock rwk,
@{run}/log/journal/ r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/environ r, @{PROC}/@{pid}/environ r,

2
apparmor.d/groups/utils/fstrim
View file

@ -26,6 +26,8 @@ profile fstrim @{exec_path} flags=(attach_disconnected) {
/boot/efi/ r, /boot/efi/ r,
/var/ r, /var/ r,
@{PROC}/@{pid}/mountinfo r,
include if exists <local/fstrim> include if exists <local/fstrim>
} }

6
apparmor.d/groups/utils/uuidd
View file

@ -11,6 +11,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
capability dac_override,
network inet dgram, network inet dgram,
@{exec_path} mr, @{exec_path} mr,
@ -18,9 +20,11 @@ profile uuidd @{exec_path} flags=(attach_disconnected) {
owner /var/lib/libuuid/clock.txt rwk, owner /var/lib/libuuid/clock.txt rwk,
owner /var/lib/libuuid/clock-cont.txt rwk, owner /var/lib/libuuid/clock-cont.txt rwk,
@{run}/uuidd/request rw,
@{att}/@{run}/uuidd/request rw, @{att}/@{run}/uuidd/request rw,
@{run}/uuidd/request rw,
@{run}/uuidd/uuidd.pid rwk,
include if exists <local/uuidd> include if exists <local/uuidd>
} }

4
apparmor.d/groups/utils/zramctl
View file

@ -13,8 +13,10 @@ profile zramctl @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sys}/devices/virtual/block/zram{int}/disksize w,
@{sys}/devices/virtual/block/zram{int}/reset w,
@{sys}/devices/virtual/block/zram@{int}/ r, @{sys}/devices/virtual/block/zram@{int}/ r,
@{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw,
@{sys}/devices/virtual/block/zram@{int}/disksize r, @{sys}/devices/virtual/block/zram@{int}/disksize r,
@{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r,
@{sys}/devices/virtual/block/zram@{int}/mm_stat r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r,

11
apparmor.d/profiles-g-l/kdump-config
View file

@ -17,6 +17,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/{,e}grep ix,
@{bin}/basename ix, @{bin}/basename ix,
@{bin}/cat ix, @{bin}/cat ix,
@{bin}/cmp ix, @{bin}/cmp ix,
@ -25,13 +26,13 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) {
@{bin}/file ix, @{bin}/file ix,
@{bin}/find ix, @{bin}/find ix,
@{bin}/flock ix, @{bin}/flock ix,
@{bin}/{,e}grep ix,
@{bin}/hexdump ix, @{bin}/hexdump ix,
@{bin}/ln ix, @{bin}/ln ix,
@{bin}/logger ix, @{bin}/logger ix,
@{bin}/plymouth Px, @{bin}/plymouth Px,
@{bin}/readlink ix, @{bin}/readlink ix,
@{bin}/rev ix, @{bin}/rev ix,
@{bin}/rm ix,
@{bin}/run-parts ix, @{bin}/run-parts ix,
@{bin}/sed ix, @{bin}/sed ix,
@{bin}/systemctl Cx -> systemctl, @{bin}/systemctl Cx -> systemctl,
@ -50,7 +51,13 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) {
/var/crash/kdump_lock wk, /var/crash/kdump_lock wk,
/var/crash/kexec_cmd w, /var/crash/kexec_cmd w,
owner /var/lib/kdump/{,**} rw, /var/lib/kdump/{,**} rw,
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
@{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

28
apparmor.d/profiles-g-l/kernel-postinst-kdump
View file

@ -12,15 +12,32 @@ profile kernel-postinst-kdump @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} r,
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/cp rix,
@{bin}/du rix, @{bin}/du rix,
@{bin}/find rix, @{bin}/find rix,
@{bin}/{m,g,}awk rix, @{bin}/kmod rCx -> kmod,
@{bin}/ischroot rPx,
@{bin}/linux-version rPx,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/sync rix, @{bin}/sync rix,
@{bin}/cut rix,
@{sbin}/mkinitramfs rPx, @{sbin}/mkinitramfs rPx,
owner /var/lib/kdump/* w, / r,
/etc/initramfs-tools/conf.d/{,**} r,
/etc/initramfs-tools/initramfs.conf r,
owner /var/lib/kdump/** rw,
owner /tmp/tmp.@{rand10}/ rw,
owner /tmp/tmp.@{rand10}/modules_@{rand6} rw,
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
@ -28,6 +45,13 @@ profile kernel-postinst-kdump @{exec_path} {
owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
profile kmod {
include <abstractions/base>
include <abstractions/app/kmod>
include if exists <local/dkernel-postinst-kdump_kmod>
}
include if exists <local/kernel-postinst-kdump> include if exists <local/kernel-postinst-kdump>
} }

5
apparmor.d/profiles-m-r/initramfs-hooks
View file

@ -16,14 +16,15 @@ profile initramfs-hooks @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{coreutils_path} rix, @{coreutils_path} rix,
@{bin}/fc-cache ix,
@{bin}/ischroot Px, @{bin}/ischroot Px,
@{bin}/ldd Cx -> ldd, @{bin}/ldd Cx -> ldd,
@{bin}/plymouth Px, @{bin}/plymouth Px,
@{sbin}/update-alternatives Px, @{bin}/update-alternatives Px,
@{sbin}/blkid Px,
@{lib}/dracut/dracut-install Px, @{lib}/dracut/dracut-install Px,
@{lib}/initramfs-tools/bin/busybox ix, @{lib}/initramfs-tools/bin/busybox ix,
@{lib}/klibc/bin/fstype ix, @{lib}/klibc/bin/fstype ix,
@{sbin}/blkid Px,
/usr/share/mdadm/mkconf Px, /usr/share/mdadm/mkconf Px,
@{bin}/* mr, @{bin}/* mr,

1
apparmor.d/profiles-m-r/mdadm-mkconf
View file

@ -25,6 +25,7 @@ profile mdadm-mkconf @{exec_path} {
/ r, / r,
/var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw,
/tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw,
include if exists <local/mdadm-mkconf> include if exists <local/mdadm-mkconf>
} }

24
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -47,13 +47,16 @@ profile mkinitramfs @{exec_path} {
@{bin}/rmdir rix, @{bin}/rmdir rix,
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/sort rix, @{bin}/sort rix,
@{bin}/stat rix,
@{bin}/touch rix, @{bin}/touch rix,
@{bin}/tr rix, @{bin}/tr rix,
@{bin}/tsort rix, @{bin}/tsort rix,
@{bin}/uname rix,
@{bin}/uniq rix, @{bin}/uniq rix,
@{bin}/xargs rix, @{bin}/xargs rix,
@{bin}/xz rix, @{bin}/xz rix,
@{bin}/zstd rix, @{bin}/zstd rix,
@{sbin}/blkid rPx,
@{lib}/dracut/dracut-install rix, @{lib}/dracut/dracut-install rix,
@{bin}/find rCx -> find, @{bin}/find rCx -> find,
@ -87,6 +90,9 @@ profile mkinitramfs @{exec_path} {
owner /boot/config-* r, owner /boot/config-* r,
owner /boot/initrd.img-*.new rw, owner /boot/initrd.img-*.new rw,
owner /var/lib/kdump/initramfs-tools/** rw,
owner /var/lib/kdump/initrd.* rw,
/var/tmp/ r, /var/tmp/ r,
/var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/mkinitramfs_@{rand6}/** w,
/var/tmp/modules_@{rand6} rw, /var/tmp/modules_@{rand6} rw,
@ -102,13 +108,17 @@ profile mkinitramfs @{exec_path} {
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w,
owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
owner /tmp/tmp.@{rand10}/modules_@{rand6} rw,
@{sys}/bus/ r,
@{sys}/bus/*/drivers/ r,
@{sys}/devices/platform/ r, @{sys}/devices/platform/ r,
@{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/ r,
@{sys}/devices/platform/**/modalias r, @{sys}/devices/platform/**/modalias r,
@{sys}/module/compression r, @{sys}/module/compression r,
@{sys}/module/firmware_class/parameters/path r, @{sys}/module/firmware_class/parameters/path r,
@{PROC}/@{pid}/mounts r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/modules r, @{PROC}/modules r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
@ -143,18 +153,8 @@ profile mkinitramfs @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{sbin}/ldconfig.real rix, @{sbin}/ldconfig.real rix,
owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r,
owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r,
owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw,
owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw,
owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw,
owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw,
owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw,
include if exists <local/mkinitramfs_ldconfig> include if exists <local/mkinitramfs_ldconfig>
} }

1
apparmor.d/profiles-m-r/needrestart
View file

@ -23,6 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix, @{sh_path} rix,
@{bin}/dpkg-query rpx, @{bin}/dpkg-query rpx,
@{bin}/fail2ban-server rPx, @{bin}/fail2ban-server rPx,
@{bin}/stty rix,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/udevadm rCx -> udevadm, @{bin}/udevadm rCx -> udevadm,

3
apparmor.d/profiles-s-z/tlp
View file

@ -71,6 +71,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/+platform:* r, @{run}/udev/data/+platform:* r,
@{sys}/bus/pci/devices/ r, @{sys}/bus/pci/devices/ r,
@{sys}/bus/pci/drivers/*/ r,
@{sys}/bus/platform/devices/ r,
@{sys}/class/drm/ r, @{sys}/class/drm/ r,
@{sys}/class/net/ r, @{sys}/class/net/ r,
@{sys}/class/power_supply/ r, @{sys}/class/power_supply/ r,
@ -80,6 +82,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/class r,
@{sys}/devices/**/net/**/uevent r, @{sys}/devices/**/net/**/uevent r,
@{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw,
@{sys}/devices/virtual/dmi/id/chassis_type r,
@{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/product_version r,
@{sys}/devices/virtual/net/**/uevent r, @{sys}/devices/virtual/net/**/uevent r,
@{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/platform_profile* rw,