From cfccb7894d94d16626cc70d8cdcab7fec470bb4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 14 Mar 2025 21:59:55 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/network/netplan.script | 1 + apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/network/wg | 3 ++- apparmor.d/groups/network/wg-quick | 25 +++++++++++++------ apparmor.d/groups/snap/snap | 2 +- apparmor.d/groups/systemd/hostnamectl | 2 -- .../groups/systemd/systemd-modules-load | 3 +++ apparmor.d/groups/systemd/systemd-remount-fs | 1 + apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/utils/df | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/profiles-a-f/atd | 4 +-- apparmor.d/profiles-g-l/hostname | 4 ++- .../profiles-m-r/needrestart-apt-pinvoke | 4 ++- apparmor.d/profiles-m-r/os-prober | 5 ++++ apparmor.d/profiles-m-r/packagekitd | 1 + apparmor.d/profiles-m-r/remmina | 11 +++++--- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/ss | 4 +-- 19 files changed, 54 insertions(+), 24 deletions(-) diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 66994569d..8f5a9b5a6 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan.script @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 532c65f78..608b98994 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -88,7 +88,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, - /etc/iproute2/rt_tables.d/ r, + /etc/iproute2/rt_tables.d/{,*} r, include if exists } diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 781a52f7a..0b0315e33 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/wg -profile wg @{exec_path} { +profile wg @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, capability net_bind_service, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c7ea6b1bd..1dc0e234d 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/wg-quick -profile wg-quick @{exec_path} { +profile wg-quick @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability net_admin, @@ -20,13 +21,16 @@ profile wg-quick @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/ip rPx, + @{bin}/mv rix, @{bin}/nft rix, @{bin}/readlink rix, @{bin}/resolvconf rPx, - @{bin}/resolvectl rPUx, + @{bin}/resolvectl rPx, + @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, - @{bin}/sysctl rix, + @{bin}/sync rix, + @{bin}/sysctl rCx -> sysctl, @{bin}/wg rPx, @{bin}/xtables-nft-multi rix, @@ -35,16 +39,21 @@ profile wg-quick @{exec_path} { /etc/iproute2/group r, /etc/iproute2/rt_realms r, /etc/resolvconf/interface-order r, - /etc/wireguard/*.conf r, + /etc/wireguard/{,**} rw, @{sys}/module/wireguard r, - @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + @{PROC}/@{pid}/net/ip_tables_names r, - /dev/tty rw, + profile sysctl flags=(attach_disconnected) { + include - # Force the use as root - deny @{bin}/sudo x, + @{bin}/sysctl mr, + + @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, + + include if exists + } include if exists } diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 90b2ceef3..84bab99e0 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -10,7 +10,7 @@ include @{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{bin_dirs}/snap -profile snap @{exec_path} { +profile snap @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 3107d2d8e..a0dd945a5 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,8 +15,6 @@ profile hostnamectl @{exec_path} { capability net_admin, - unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index cc44f385f..3f778244b 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -24,6 +24,9 @@ profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, + @{run}/modprobe.d/ r, + @{run}/modprobe.d/*.conf r, + @{sys}/devices/@{pci}/config r, @{sys}/module/*/initstate r, @{sys}/module/compression r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 4231f7e7b..750f7e18b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,6 +23,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, + /etc/blkid.conf r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 1af847cd4..6778aacf3 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -60,6 +60,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rix, @{bin}/unshare rix, + @{bin}/vmmouse_detect rPUx, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, diff --git a/apparmor.d/groups/utils/df b/apparmor.d/groups/utils/df index 1a823e4db..baceace65 100644 --- a/apparmor.d/groups/utils/df +++ b/apparmor.d/groups/utils/df @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/df -profile df @{exec_path} { +profile df @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index d7b1b45e0..a6eb80e9f 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -26,12 +26,12 @@ profile cockpit-bridge @{exec_path} { ptrace read, - signal send set=term peer=cockpit-bridge//sudo, signal send set=term peer=cockpit-pcp, signal send set=term peer=dbus-daemon, signal send set=term peer=journalctl, signal send set=term peer=ssh-agent, signal send set=term peer=unconfined, + signal (send receive) set=term peer=cockpit-bridge//sudo, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index f8d39c8f5..3a0669c76 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -20,9 +20,9 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, - signal (receive) set=hup peer=at, + signal receive set=hup peer=at, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index ac2ceb6e2..7e87173cc 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} -profile hostname @{exec_path} { +profile hostname @{exec_path} flags=(attach_disconnected) { include include include @@ -22,6 +22,8 @@ profile hostname @{exec_path} { @{exec_path} mr, + owner /dev/tty@{int} rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 5f3912105..480caf77e 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/needrestart/apt-pinvoke -profile needrestart-apt-pinvoke @{exec_path} { +profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { include include include @@ -24,6 +24,8 @@ profile needrestart-apt-pinvoke @{exec_path} { @{run}/needrestart/{,**} rw, + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + include if exists } diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index c058003ff..bfee59187 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -15,8 +15,13 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, + mount options=(rprivate, rw) -> /, + mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/, + umount /var/lib/os-prober/mount/, + mqueue (read getattr) type=posix /, + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 6847476e3..4d1f2f756 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -69,6 +69,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, + @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index f59880046..7d30c8848 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -25,6 +25,7 @@ profile remmina @{exec_path} { include include include + include include network inet stream, @@ -35,16 +36,20 @@ profile remmina @{exec_path} { #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - @{exec_path} r, + @{exec_path} rm, + + @{open_path} rPx -> child-open-browsers, /usr/share/remmina/{,**} r, /usr/share/themes/{,**} r, - /etc/timezone r, + /etc/fstab r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, + /etc/timezone r, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index ca9da155c..0393df379 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -20,6 +20,7 @@ profile signal-desktop @{exec_path} { include include include + include include include diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 3b55547be..a942cac4f 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -24,8 +24,8 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner @{tmp}/*.ss rw, - owner @{HOME}/*.ss rw, + owner @{tmp}/*.ss rw, + owner @{HOME}/*.ss rw, @{sys}/fs/cgroup/{,**/} r,