fix(profile): apply some fix raised by the test suite.

2024-10-22 00:37:50 +01:00 · 2024-10-22 00:37:50 +01:00 · cca8e6508f
commit cca8e6508f
parent 1f869c12ad
24 changed files with 65 additions and 12 deletions
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -12,6 +12,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
  include <abstractions/authentication>
+  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>

--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@ -26,6 +26,8 @@ profile fc-cache @{exec_path} {

  /var/tmp/mkinitramfs_*/{**,} rwl,

+  owner @{user_cache_dirs}/ w,
+
  # Silencer
  deny network inet6 stream,
  deny network inet stream,
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@ -22,10 +22,11 @@ profile gpgconf @{exec_path} {
  @{bin}/gpg-connect-agent rPx,
  @{bin}/gpg{,2}           rPx,
  @{bin}/gpgsm             rPx,
-  @{bin}/pinentry-*        rPx,
+  @{bin}/pinentry{,-*}     rPx,
  @{bin}/scdaemon          rPx,
+  @{lib}/{,gnupg/}keyboxd  rPUx,
  @{lib}/{,gnupg/}scdaemon rPx,
-  @{lib}/keyboxd          rPUx,
+  @{lib}/{,gnupg/}tpm2daemon rPUx,

  /etc/gcrypt/hwf.deny r,
  /etc/gnupg/gpgconf.conf r,
--- a/apparmor.d/groups/pacman/archlinux-java
+++ b/apparmor.d/groups/pacman/archlinux-java
@ -17,9 +17,11 @@ profile archlinux-java @{exec_path} {
  @{bin}/basename  rix,
  @{bin}/bash      rix,
  @{bin}/dirname   rix,
+  @{bin}/find      rix,
  @{bin}/id        rix,
  @{bin}/ln        rix,
  @{bin}/readlink  rix,
+  @{bin}/sort      rix,
  @{bin}/unlink    rix,

  @{lib}/jvm/default w,
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@ -21,6 +21,8 @@ profile ssh-keygen @{exec_path} {
  owner @{HOME}/@{XDG_SSH_DIR}/ w,
  owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,

+  /tmp/snapd@{int}/*_*{,.pub} w,
+
  /dev/tty@{int} rw,
  /dev/ttyS@{int} rw,

--- a/apparmor.d/groups/systemd/systemd-generator-cloud-init
+++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init
@ -15,6 +15,7 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{sh_path}                     rix,
+  @{bin}/ln                      rix,
  @{bin}/mkdir                   rix,
  @{bin}/systemd-detect-virt     rPx,
  @{lib}/cloud-init/ds-identify rPUx,
@ -22,6 +23,9 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
  @{run}/cloud-init/ w,
  @{run}/cloud-init/cloud-init-generator.* rw,
  @{run}/cloud-init/disabled w,
+  @{run}/cloud-init/enabled w,
+  @{run}/systemd/generator.early/multi-user.target.wants/ w,
+  @{run}/systemd/generator.early/multi-user.target.wants/cloud-init.target w,

  @{PROC}/cmdline r,

--- a/apparmor.d/groups/systemd/systemd-generator-fstab
+++ b/apparmor.d/groups/systemd/systemd-generator-fstab
@ -19,7 +19,7 @@ profile systemd-generator-fstab @{exec_path} {

  /etc/fstab r,

-  @{run}/systemd/generator/** w,
+  @{run}/systemd/generator/** rw,

  @{PROC}/@{pid}/cgroup r,

--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -31,6 +31,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {

  @{etc_rw}/.#hostname* rw,
  @{etc_rw}/hostname rw,
+  /etc/.#machine-info@{hex16} rw,
  /etc/.#machine-info@{rand6} rw,
  /etc/machine-id r,
  /etc/machine-info rw,
--- a/apparmor.d/groups/systemd/systemd-notify
+++ b/apparmor.d/groups/systemd/systemd-notify
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-notify
 profile systemd-notify @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability sys_admin,
  capability net_admin,
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@ -9,11 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/userdbctl
 profile userdbctl @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability sys_resource,

+  signal send set=cont peer=child-pager,
+
  @{exec_path} mr,
  
  @{pager_path} rPx -> child-pager,
@ -21,7 +24,9 @@ profile userdbctl @{exec_path} {
  /etc/shadow r,
  /etc/gshadow r,

-  @{PROC}/1/cgroup r,
+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/uid_map r,

  include if exists <local/userdbctl>
 }
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@ -20,6 +20,7 @@ profile apt-esm-json-hook @{exec_path} {

  /var/lib/ubuntu-advantage/{,**} r,
  /var/lib/ubuntu-advantage/apt-esm/{,**} rw,
+  /var/log/ubuntu-advantage-apt-hook.log w,

  @{run}/cloud-init/cloud-id-nocloud r,