felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update apt profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-11 22:09:38 +02:00
parent ca1827ea12
commit b569d44703
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
11 changed files with 44 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/abstractions/common/apt
View file

@ -6,6 +6,7 @@
abi <abi/4.0>, abi <abi/4.0>,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/usr/share/dpkg/ostable r,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,
/usr/share/dpkg/varianttable r, /usr/share/dpkg/varianttable r,
@ -19,6 +20,9 @@
/etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/ r,
/etc/apt/sources.list.d/*.{sources,list} r, /etc/apt/sources.list.d/*.{sources,list} r,
/etc/apt/trusted.gpg r,
/etc/apt/trusted.gpg.d/{,*} r,
/var/lib/apt/lists/{,**} r, /var/lib/apt/lists/{,**} r,
/var/lib/apt/extended_states r, /var/lib/apt/extended_states r,
@ -26,7 +30,7 @@
/var/cache/apt/srcpkgcache.bin r, /var/cache/apt/srcpkgcache.bin r,
/var/lib/dpkg/status r, /var/lib/dpkg/status r,
/var/lib/ubuntu-advantage/apt-esm/{,**} r, /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/clearsigned.message.* rw, owner @{tmp}/clearsigned.message.* rw,

4
apparmor.d/groups/apt/apt
View file

@ -147,6 +147,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
/tmp/ r, /tmp/ r,
/tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/ w,
/tmp/apt-changelog-*/*.changelog w, /tmp/apt-changelog-*/*.changelog w,
/tmp/apt-tmp-index.@{rand6} rw,
owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw,
owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/ rw,
owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w,
@ -190,6 +191,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
@{bin}/bunzip2 rix, @{bin}/bunzip2 rix,
@{bin}/chmod rix, @{bin}/chmod rix,
@{bin}/bzip2 rix,
@{bin}/gunzip rix, @{bin}/gunzip rix,
@{bin}/gzip rix, @{bin}/gzip rix,
@{bin}/patch rix, @{bin}/patch rix,
@ -197,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
@{bin}/tar rix, @{bin}/tar rix,
@{bin}/xz rix, @{bin}/xz rix,
/etc/dpkg/origins/debian r, /etc/dpkg/origins/* r,
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
owner @{HOME}/** rwkl -> @{HOME}/**, owner @{HOME}/** rwkl -> @{HOME}/**,

2
apparmor.d/groups/apt/apt-helper
View file

@ -25,6 +25,8 @@ profile apt-helper @{exec_path} {
capability net_admin, capability net_admin,
ptrace read peer=@{p_systemd},
include if exists <local/apt-helper_systemctl> include if exists <local/apt-helper_systemctl>
} }

2
apparmor.d/groups/apt/apt-methods-http
View file

@ -74,6 +74,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
@{run}/ubuntu-advantage/aptnews.json rw, @{run}/ubuntu-advantage/aptnews.json rw,
owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw,
@{run}/systemd/resolve/io.systemd.Resolve rw,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,

2
apparmor.d/groups/apt/deb-systemd-invoke
View file

@ -15,6 +15,8 @@ profile deb-systemd-invoke @{exec_path} {
capability net_admin, capability net_admin,
capability sys_resource, capability sys_resource,
ptrace read peer=@{p_systemd},
signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal send set=(cont term) peer=systemd-tty-ask-password-agent,
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/apt/dpkg
View file

@ -18,6 +18,9 @@ profile dpkg @{exec_path} {
capability fowner, capability fowner,
capability fsetid, capability fsetid,
capability setgid, capability setgid,
capability sys_ptrace,
ptrace read peer=apt,
@{exec_path} mr, @{exec_path} mr,

5
apparmor.d/groups/apt/dpkg-buildflags
View file

@ -14,10 +14,13 @@ profile dpkg-buildflags @{exec_path} flags=(complain) {
@{exec_path} r, @{exec_path} r,
/etc/dpkg/origins/debian r, /usr/share/lto-disabled-list/lto-disabled-list r,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,
/usr/share/dpkg/abitable r,
/etc/dpkg/origins/* r,
owner @{user_config_dirs}/dpkg/buildflags.conf r, owner @{user_config_dirs}/dpkg/buildflags.conf r,

11
apparmor.d/groups/apt/dpkg-checkbuilddeps
View file

@ -11,16 +11,21 @@ include <tunables/global>
profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
include <abstractions/common/apt>
@{exec_path} r, @{exec_path} r,
/etc/dpkg/origins/debian r, @{bin}/dpkg rPx,
@{bin}/@{multiarch}gcc-@{int} mrix,
/var/lib/dpkg/status r,
/usr/share/dpkg/ostable r,
/usr/share/dpkg/cputable r, /usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,
/etc/dpkg/origins/* r,
/var/lib/dpkg/status r,
# For package building # For package building
owner @{user_build_dirs}/**/debian/control r, owner @{user_build_dirs}/**/debian/control r,

7
apparmor.d/groups/apt/dpkg-script-apparmor
View file

@ -2,6 +2,8 @@
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
# TODO: merge with dpkg-scripts
abi <abi/4.0>, abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@ -16,8 +18,13 @@ profile dpkg-script-apparmor @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/{,e}grep ix, @{bin}/{,e}grep ix,
@{bin}/cat ix,
@{bin}/chmod ix,
@{bin}/mkdir ix,
@{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-helper Px,
@{bin}/dpkg-maintscript-helper Px,
@{bin}/dpkg Px -> child-dpkg,
@{bin}/deb-systemd-invoke Px, @{bin}/deb-systemd-invoke Px,
@{bin}/dpkg-divert ix, @{bin}/dpkg-divert ix,
@{bin}/systemctl Cx -> systemctl, @{bin}/systemctl Cx -> systemctl,

4
apparmor.d/groups/apt/dpkg-scripts
View file

@ -114,6 +114,10 @@ profile dpkg-scripts @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
capability sys_resource, capability sys_resource,
signal send set=(cont term) peer=systemd-tty-ask-password-agent,
ptrace read peer=@{p_systemd},
@{bin}/systemd-tty-ask-password-agent Px, @{bin}/systemd-tty-ask-password-agent Px,
@{pager_path} Px -> child-pager, @{pager_path} Px -> child-pager,

4
apparmor.d/groups/apt/unattended-upgrade
View file

@ -38,6 +38,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
#aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,
@ -70,6 +72,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{lib}/zsys-system-autosnapshot Px, @{lib}/zsys-system-autosnapshot Px,
/usr/share/distro-info/* r, /usr/share/distro-info/* r,
/usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r,
@{etc_ro}/login.defs r, @{etc_ro}/login.defs r,
@{etc_ro}/security/capability.conf r, @{etc_ro}/security/capability.conf r,
@ -127,6 +130,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/attr/current r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/environ r, @{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/fd/ r, owner @{PROC}/@{pids}/fd/ r,