felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update apt profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-06-21 19:44:43 +02:00
parent ea45cec24d
commit cd619d280a
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
5 changed files with 20 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/apt/apt-methods-http
View file

@ -72,6 +72,7 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/apt-changelog-*/*.changelog rw, owner @{tmp}/apt-changelog-*/*.changelog rw,
@{run}/ubuntu-advantage/aptnews.json rw, @{run}/ubuntu-advantage/aptnews.json rw,
owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,

5
apparmor.d/groups/apt/dpkg-script-systemd
View file

@ -42,8 +42,13 @@ profile dpkg-script-systemd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/apt> include <abstractions/common/apt>
capability dac_read_search,
@{bin}/dpkg mr, @{bin}/dpkg mr,
/etc/dpkg/dpkg.cfg r,
/etc/dpkg/dpkg.cfg.d/{,*} r,
include if exists <local/dpkg-script-systemd_dpkg> include if exists <local/dpkg-script-systemd_dpkg>
} }

11
apparmor.d/groups/apt/dpkg-scripts
View file

@ -58,7 +58,12 @@ profile dpkg-scripts @{exec_path} {
/ r, / r,
/*/ r, /*/ r,
@{bin}/ r, @{bin}/ r,
@{bin}/* w,
@{lib}/ r, @{lib}/ r,
@{lib}/@{python_name}/**/__pycache__/ w,
@{lib}/@{python_name}/**/__pycache__/**.pyc w,
@{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w,
/etc/ r, /etc/ r,
/etc/** rw, /etc/** rw,
/usr/share/*/{,**} rw, /usr/share/*/{,**} rw,
@ -71,6 +76,8 @@ profile dpkg-scripts @{exec_path} {
/tmp/sed@{rand6} rw, /tmp/sed@{rand6} rw,
/tmp/tmp.@{rand10} rw, /tmp/tmp.@{rand10} rw,
@{PROC}/@{pid}/fd/ r,
profile bus { profile bus {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/bus> include <abstractions/app/bus>
@ -104,6 +111,10 @@ profile dpkg-scripts @{exec_path} {
@{bin}/systemd-tty-ask-password-agent Px, @{bin}/systemd-tty-ask-password-agent Px,
@{pager_path} Px -> child-pager, @{pager_path} Px -> child-pager,
/etc/machine-id r,
/var/lib/systemd/catalog/database r,
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r,

1
apparmor.d/groups/apt/dpkg-statoverride
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/dpkg-statoverride @{exec_path} = @{bin}/dpkg-statoverride
profile dpkg-statoverride @{exec_path} flags=(complain) { profile dpkg-statoverride @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/apt/unattended-upgrade
View file

@ -101,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/var/crash/*.crash w, /var/crash/*.crash w,
/var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/info/ r, /var/lib/dpkg/info/{,*} r,
/var/lib/dpkg/lock rwk, /var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/updates/ r, /var/lib/dpkg/updates/ r,