From c03bcbef7a800d3d4523d4d21b41563d598358d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:00:08 +0200 Subject: [PATCH] feat(profile): rewrite the needrestart profiles. --- apparmor.d/profiles-m-r/needrestart | 37 ++++++++++--------- apparmor.d/profiles-m-r/needrestart-hook | 25 +++++++++++++ .../needrestart-iucode-scan-versions | 4 +- apparmor.d/profiles-m-r/needrestart-notify | 32 ++++++++++++++++ apparmor.d/profiles-m-r/needrestart-restart | 32 ++++++++++++++++ .../needrestart-vmlinuz-get-version | 2 +- dists/flags/main.flags | 3 ++ 7 files changed, 115 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/profiles-m-r/needrestart-hook create mode 100644 apparmor.d/profiles-m-r/needrestart-notify create mode 100644 apparmor.d/profiles-m-r/needrestart-restart diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5d5e76ed5..13838902e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,35 +22,34 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, - mqueue (r,getattr) type=posix /, - @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/locale rix, - @{python_path} rix, @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{sbin}/unix_chkpwd rPx, - @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, + @{python_path} rix, + @{sbin}/unix_chkpwd rPx, + /usr/share/debconf/frontend rCx -> debconf, - /etc/debconf.conf r, + /etc/needrestart/hook.d/* rPx, + /etc/needrestart/notify.d/* rPx, + /etc/needrestart/restart.d/* rPx, + /etc/init.d/* r, /etc/needrestart/{,**} r, - /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - /boot/ r, - /boot/* r, + @{efi}/ r, + @{efi}/* r, /opt/*/** r, @{bin}/* r, @{lib}/** r, @@ -59,23 +58,23 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/** r, /var/lib/*/** r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + @{run}/systemd/sessions/* r, /tmp/@{word10}/ rw, - owner @{run}/sshd.pid r, - @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, + deny mqueue type=posix /, + profile systemctl { include include @@ -101,6 +100,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include include + @{sbin}/needrestart Px, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook new file mode 100644 index 000000000..fa77834e8 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/hook.d/* +profile needrestart-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + @{sh_path} rix, + + @{bin}/dpkg-query px, + + /tmp/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3484ea298..d75301fc6 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,19 +12,21 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{sbin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{sbin}/iucode_tool rix, /usr/share/misc/ r, + /usr/share/misc/amd64-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd64-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, + /boot/amd64-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify new file mode 100644 index 000000000..dc4a30c69 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/notify.d/* +profile needrestart-notify @{exec_path} { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read peer=unconfined, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/gettext.sh r, + @{bin}/sed ix, + + /etc/needrestart/notify.conf r, + + @{PROC}/@{pid}/environ r, + @{PROC}/filesystems r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart new file mode 100644 index 000000000..2fc79b70c --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/restart.d/* +profile needrestart-restart @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 655566c74..e5ee2fd8f 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -23,7 +23,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/rm rix, @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, /boot/intel-ucode.img r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9faad80f9..592b681e5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,6 +240,9 @@ ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain +needrestart-hook complain +needrestart-notify complain +needrestart-restart complain netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain