From c008cbda671320879d18f26afb2f44bf6ae72c4a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:43:57 +0200 Subject: [PATCH] feat(profile): add profile for most of udev internat scripts Required by FSP. --- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/profiles-s-z/udev-ata_id | 23 +++++++++++++++ .../profiles-s-z/udev-bcache-export-cached | 23 +++++++++++++++ apparmor.d/profiles-s-z/udev-cdrom_id | 24 ++++++++++++++++ apparmor.d/profiles-s-z/udev-fido_id | 24 ++++++++++++++++ apparmor.d/profiles-s-z/udev-hdparm | 28 +++++++++++++++++++ apparmor.d/profiles-s-z/udev-probe-bcache | 21 ++++++++++++++ dists/flags/main.flags | 6 ++++ 8 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/udev-ata_id create mode 100644 apparmor.d/profiles-s-z/udev-bcache-export-cached create mode 100644 apparmor.d/profiles-s-z/udev-cdrom_id create mode 100644 apparmor.d/profiles-s-z/udev-fido_id create mode 100644 apparmor.d/profiles-s-z/udev-hdparm create mode 100644 apparmor.d/profiles-s-z/udev-probe-bcache diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 29b40cb48..9e81cec83 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd -profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { +profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id new file mode 100644 index 000000000..f12ed105f --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-ata_id @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/ata_id +profile udev-ata_id @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached new file mode 100644 index 000000000..51746625e --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bcache-export-cached +profile udev-bcache-export-cached @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/bcache-super-show rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id new file mode 100644 index 000000000..552159867 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-cdrom_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/cdrom_id +profile udev-cdrom_id @{exec_path} { + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + /dev/sr@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id new file mode 100644 index 000000000..76ec27b68 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/fido_id +profile udev-fido_id @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/virtual/**/report_descriptor r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-hdparm b/apparmor.d/profiles-s-z/udev-hdparm new file mode 100644 index 000000000..bca98163b --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-hdparm @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/hdparm +profile udev-hdparm @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/udevadm rPx, + + /etc/hdparm.conf r, + + @{PROC}/cmdline r, + @{PROC}/mdstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-probe-bcache b/apparmor.d/profiles-s-z/udev-probe-bcache new file mode 100644 index 000000000..e02e070a8 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-probe-bcache @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/probe-bcache +profile udev-probe-bcache @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 06c3e3e27..5f99d7552 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -352,7 +352,13 @@ telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain ucf complain +udev-ata_id complain +udev-bcache-export-cached complain +udev-cdrom_id complain udev-dmi-memory-id complain +udev-fido_id complain +udev-hdparm complain +udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain