From c8754571a53dc9d0c75ebb5f541702488ab2e534 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:19:35 +0200 Subject: [PATCH] fix(profile): apply fixes raised by tests --- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- apparmor.d/abstractions/common/electron | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 7 ++++++- .../groups/systemd/systemd-machine-id-setup | 1 + apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/groups/ubuntu/update-notifier-crash | 15 +++++++++++++-- apparmor.d/profiles-a-f/dracut-install | 1 + apparmor.d/profiles-m-r/mdadm | 1 + 9 files changed, 29 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b002d6fa4..b683cf128 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -26,6 +26,11 @@ member={ItemNew,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 341cf58ce..4fb1764bc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -8,7 +8,7 @@ dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} + member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=system path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8134f8681..6216ec939 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -75,6 +75,7 @@ @{PROC}/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, @@ -88,7 +89,6 @@ owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 641862965..b2ae65450 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -12,14 +12,19 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include + include + include @{exec_path} mr, + @{bin}/xdg-user-dirs-update Px, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{tmp}/dirs-@{rand6} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index f3f27b523..c791e6375 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -31,6 +31,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { /etc/machine-id rw, /var/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 6c4dc4d77..361290980 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -85,7 +85,6 @@ profile update-notifier @{exec_path} { profile systemctl { include include - include dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index dee094aa1..d65c77a08 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -9,17 +9,28 @@ include @{exec_path} = @{lib}/update-notifier/update-notifier-crash profile update-notifier-crash @{exec_path} { include + include @{exec_path} mr, - @{bin}/systemctl Cx -> systemctl, - + @{bin}/{,e}grep ix, + @{bin}/groups Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/which{,.debianutils} ix, + @{sh_path} mr, /usr/share/apport/apport-checkreports Px, + owner @{HOME}/ r, + profile systemctl { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + include if exists } diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 2000635d3..6deb06eb6 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/dracut/dracut-install profile dracut-install @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 7601f16df..15adcb9e6 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -9,6 +9,7 @@ include @{exec_path} = @{sbin}/mdadm profile mdadm @{exec_path} { include + include include capability sys_admin,