From b6e4b4b743d6f6debec569adce16d8462bf97403 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 19 Dec 2021 00:40:26 +0300 Subject: [PATCH] fixes --- apparmor.d/profiles-g-l/grc | 17 ++++++++++++----- apparmor.d/profiles-g-l/ls | 22 ---------------------- apparmor.d/profiles-s-z/ss | 31 +++++++++++++++++++------------ 3 files changed, 31 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/profiles-g-l/ls diff --git a/apparmor.d/profiles-g-l/grc b/apparmor.d/profiles-g-l/grc index 2040b1321..2dbf350ed 100644 --- a/apparmor.d/profiles-g-l/grc +++ b/apparmor.d/profiles-g-l/grc @@ -1,4 +1,3 @@ -# vim:syntax=apparmor # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only @@ -14,6 +13,14 @@ profile grc @{exec_path} { include include + capability dac_read_search, + # No visible effect + deny capability dac_override, + + signal (send) set=(int) peer=ss, + signal (send) set=(int) peer=ping, + signal (send) set=(int) peer=traceroute, + # python-strict /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth} r, /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r, @@ -23,7 +30,7 @@ profile grc @{exec_path} { owner @{HOME}/.grc/** r, /etc/grc.conf r, - /{,usr/}{,local/}share/grc/{,**} r, + /usr/{,local/}share/grc/{,**} r, /{,usr/}bin/grcat rix, /{,usr/}bin/cat rix, @@ -33,18 +40,18 @@ profile grc @{exec_path} { /{,usr/}bin/{,e}grep rix, /{,usr/}bin/sed rix, /{,usr/}bin/less rix, + /{,usr/}bin/ls rix, /{,usr/}bin/ping rPx, - /{,usr/}bin/traceroute rPx, /{,usr/}bin/df rPx, /{,usr/}bin/dfc rPx, /{,usr/}bin/ss rPx, - /{,usr/}bin/ls rPx, /{,usr/}bin/ps rPx, /{,usr/}bin/ip rPx, /{,usr/}bin/lsblk rPx, /{,usr/}bin/diff rPx, /{,usr/}sbin/blkid rPx, + /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} rPx, @{GRC_PATHS_RO}/** r, @{MOUNTS}/** r, @@ -56,7 +63,7 @@ profile grc @{exec_path} { audit deny /etc/ssh/ssh_host_*_key mrwkl, # Noise - deny /{,usr/}bin/ r, + deny /usr/bin/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/ls b/apparmor.d/profiles-g-l/ls deleted file mode 100644 index 26ce87242..000000000 --- a/apparmor.d/profiles-g-l/ls +++ /dev/null @@ -1,22 +0,0 @@ -# vim:syntax=apparmor -# apparmor.d - Full set of apparmor profiles -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{,usr/}bin/ls -profile ls @{exec_path} { - @{exec_path} r, - include - include - - capability dac_read_search, - - # Directory traverse - / r, - /**/ r, - - include if exists -} diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index ff959b34d..b23a92cb1 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -1,4 +1,3 @@ -# vim:syntax=apparmor # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only @@ -18,22 +17,30 @@ profile ss @{exec_path} { ptrace (read), + signal (receive) set=(int) peer=grc, + /etc/iproute2/{,**} r, - @{PROC} r, - @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/net/sockstat r, - @{PROC}/@{pid}/net/snmp r, + @{PROC} r, + @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/net/sockstat r, + owner @{PROC}/@{pid}/net/snmp r, + owner @{PROC}/@{pid}/net/unix r, + owner @{PROC}/@{pid}/net/raw r, + owner @{PROC}/@{pid}/net/tcp r, + owner @{PROC}/@{pid}/net/udp r, + + # [e]xtended + owner @{PROC}/@{pid}/mounts r, + @{sys}/fs/cgroup/{,**/} r, + + network netlink raw, owner /tmp/*.ss rw, owner @{HOME}/*.ss rw, - # [e]xtended - @{PROC}/@{pid}/mounts r, - @{sys}/fs/cgroup/{,**/} r, - include if exists }