diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 3b931fb2b..39517ee6c 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -30,13 +30,12 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/ r, + @{sbin}/ r, @{bin}/cat rix, - @{bin}/echo rix, @{bin}/env r, @{bin}/kmod rCx -> kmod, - @{lib}/ufw/ufw-init rix, - @{sbin}/sysctl rix, + @{lib}/ufw/ufw-init rPx, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -70,6 +69,21 @@ profile ufw @{exec_path} flags=(attach_disconnected) { include if exists } + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 5c0521790..aae80b87d 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,6 +11,7 @@ profile ufw-init @{exec_path} { include include + capability dac_read_search, capability net_admin, network inet dgram, @@ -22,7 +23,8 @@ profile ufw-init @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/sysctl rix, + @{bin}/echo rix, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -30,7 +32,22 @@ profile ufw-init @{exec_path} { /etc/ufw/* r, @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/sys/net/ipv{4,6}/** rw, + # @{PROC}/sys/net/ipv{4,6}/** rw, + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } include if exists }