feat(profiles): general update.

2023-09-01 22:50:43 +01:00 · 2023-09-01 22:50:43 +01:00 · b2fa7bacb8
commit b2fa7bacb8
parent 0c151259d2
19 changed files with 108 additions and 72 deletions
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@ -73,8 +73,8 @@ profile apt-methods-gpgv @{exec_path} {
        /var/lib/apt/lists/{,**} r,
        /var/lib/dpkg/arch r,
        /var/lib/extrepo/keys/*.{gpg,asc} r,
+        /var/lib/ubuntu-advantage/apt-esm/{,**} rw,
  owner /var/lib/apt/lists/{,**} rw,
-  owner /var/lib/ubuntu-advantage/apt-esm/{,**} rw,
  owner /var/lib/apt/lists/partial/* rw,

  # For package building
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -141,6 +141,7 @@ profile pulseaudio @{exec_path} {
  @{lib}/@{multiarch}/pulse/gconf-helper mrix,
  @{lib}/pulse-*/modules/*.so mr,

+  /usr/share/ladspa/rdf/{,*} r,
  /usr/share/pulseaudio/{,**} r,

  /var/lib/snapd/desktop/applications/ r,
--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@ -44,6 +44,9 @@ profile gnome-extension-gsconnect @{exec_path} {
  @{lib}/gio/modules/*.so* rm,
  @{lib}/girepository-1.0/* r,

+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
+
  @{share_dirs}/{,**} r,
  @{share_dirs}/gsconnect-preferences rix,

@ -61,6 +64,8 @@ profile gnome-extension-gsconnect @{exec_path} {
  owner @{user_config_dirs}/pulse/client.conf r,
  owner @{user_config_dirs}/pulse/cookie rk,

+  owner @{user_share_dirs}/ r,
+
  owner @{run}/user/@{uid}/gsconnect/ w,
  owner @{run}/user/@{uid}/pulse/ r,

--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -81,7 +81,9 @@ profile gnome-software @{exec_path} {
  owner @{user_config_dirs}/pulse/*.conf r,

  owner @{user_share_dirs}/ r,
-  owner @{user_share_dirs}/flatpak/repo/{,**} rw,
+  owner @{user_share_dirs}/flatpak/.changed w,
+  owner @{user_share_dirs}/flatpak/repo/ rw,
+  owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
  owner @{user_share_dirs}/gnome-software/{,**} rw,

  owner /tmp/ostree-gpg-*/ rw,
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@ -39,7 +39,7 @@ profile ssh-agent @{exec_path} {
  @{run}/user/@{uid}/keyring/.ssh rw,
  @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w,

-  owner /dev/tty@{int} rw,
+  /dev/tty@{int} rw,

  include if exists <local/ssh-agent>
 }
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -16,9 +16,11 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {

  capability dac_override,
  capability dac_read_search,
+  capability mknod,
  capability net_admin,
  capability sys_resource,

+  signal (receive) set=(term) peer=cockpit-bridge,
  signal (send) peer=child-pager,

  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -53,6 +53,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/c1:@{int}    r,        # For RAM disk
  @{run}/udev/data/c4:@{int} r,           # For TTY devices
  @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
+  @{run}/udev/data/c108:@{int} r,         # For /dev/ppp
  @{run}/udev/data/c18[8-9]:[0-9]* r,     # USB devices & USB serial converters
  @{run}/udev/data/c29:[0-9]* r,          # For CD-ROM
  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -33,7 +33,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  network inet6 dgram,
  network netlink raw,

-  @{exec_path} mr,
+  @{exec_path} mrix,

  @{bin}/{,ba,da}sh        rix,
  @{bin}/{,e}grep          rix,
@ -50,21 +50,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/setfacl           rix,
  @{bin}/snap              rPx,
  @{bin}/unshare           rix,
+  @{bin}/lvm               rPx,
+  @{bin}/touch             rix,

-  @{bin}/*             rpux,
-  audit @{bin}/lvm      rux,
-
-  @{lib}/pm-utils/power.d/*          rPUx,
-  @{lib}/snapd/snap-device-helper     rPx,
-  @{lib}/crda/*                      rPUx,
-  @{lib}/gdm-runtime-config           rPx,
-  @{lib}/systemd/systemd-*            rPx,
-  @{lib}/nfsrahead                    rPUx,
-  @{lib}/udev/*                      rPUx,
+  @{bin}/systemctl rCx -> systemctl,
+  @{lib}/crda/*                           rPUx,
+  @{lib}/gdm-runtime-config               rPx,
+  @{lib}/nfsrahead                        rPUx,
  @{lib}/open-iscsi/net-interface-handler rPUx,
+  @{lib}/pm-utils/power.d/*               rPUx,
+  @{lib}/snapd/snap-device-helper         rPx,
+  @{lib}/systemd/systemd-*                rPx,
+  @{lib}/udev/*                           rPUx,
  /usr/share/hplip/config_usb_printer.py  rPUx,

-  /etc/console-setup/*.sh       rPUx,
+  /etc/console-setup/*.sh            rPUx,
  /etc/network/cloud-ifupdown-helper rPUx,

  /etc/machine-id r,
@ -110,5 +110,21 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {

  deny /apparmor/.null rw,

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemd-common>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    @{bin}/systemctl mr,
+  
+    / r,
+
+    @{PROC}/sys/kernel/cap_last_cap r,
+
+    include if exists <local/systemd-udevd_systemctl>
+  }
+
  include if exists <local/systemd-udevd>
 }