feat(profile): general update.

2025-03-14 21:59:55 +01:00 · 2025-03-14 21:59:55 +01:00 · cfccb7894d
commit cfccb7894d
parent 24b1c816e5
19 changed files with 54 additions and 24 deletions
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/netplan/netplan.script
 profile netplan.script @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  @{exec_path} mr,
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@ -88,7 +88,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
    @{bin}/xtables-nft-multi rix,
    /etc/iproute2/rt_tables r,
-    /etc/iproute2/rt_tables.d/ r,
+    /etc/iproute2/rt_tables.d/{,*} r,
    include if exists <local/openvpn_update-resolv>
  }
--- a/apparmor.d/groups/network/wg
+++ b/apparmor.d/groups/network/wg
@ -7,8 +7,9 @@ abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/wg
-profile wg @{exec_path} {
+profile wg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  capability net_admin,
  capability net_bind_service,
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@ -7,8 +7,9 @@ abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/wg-quick
-profile wg-quick @{exec_path} {
+profile wg-quick @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
  capability net_admin,
@ -20,13 +21,16 @@ profile wg-quick @{exec_path} {
  @{sh_path}                rix,
  @{bin}/cat                rix,
  @{bin}/ip                 rPx,
  @{bin}/mv                 rix,
  @{bin}/nft                rix,
  @{bin}/readlink           rix,
  @{bin}/resolvconf         rPx,
-  @{bin}/resolvectl        rPUx,
+  @{bin}/resolvectl         rPx,
  @{bin}/rm                 rix,
  @{bin}/sort               rix,
  @{bin}/stat               rix,
-  @{bin}/sysctl             rix,
+  @{bin}/sync               rix,
  @{bin}/sysctl             rCx -> sysctl,
  @{bin}/wg                 rPx,
  @{bin}/xtables-nft-multi  rix,
@ -35,16 +39,21 @@ profile wg-quick @{exec_path} {
  /etc/iproute2/group  r,
  /etc/iproute2/rt_realms r,
  /etc/resolvconf/interface-order r,
-  /etc/wireguard/*.conf r,
+  /etc/wireguard/{,**} rw,
  @{sys}/module/wireguard r,
-  @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,
+  @{PROC}/@{pid}/net/ip_tables_names r,
-  /dev/tty rw,
+  profile sysctl flags=(attach_disconnected) {
    include <abstractions/base>
-  # Force the use as root
+    @{bin}/sysctl mr,
-  deny @{bin}/sudo x,
+
    @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,
    include if exists <local/wg-quick_sysctl>
  }
  include if exists <local/wg-quick>
 }
--- a/apparmor.d/groups/snap/snap
+++ b/apparmor.d/groups/snap/snap
@ -10,7 +10,7 @@ include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}
@{exec_path} = @{bin_dirs}/snap
-profile snap @{exec_path} {
+profile snap @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@ -15,8 +15,6 @@ profile hostnamectl @{exec_path} {
  capability net_admin,
  unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system,
  #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@ -24,6 +24,9 @@ profile systemd-modules-load @{exec_path} flags=(attach_disconnected) {
  /etc/modules-load.d/ r,
  /etc/modules-load.d/*.conf r,
  @{run}/modprobe.d/ r,
  @{run}/modprobe.d/*.conf r,
  @{sys}/devices/@{pci}/config r,
  @{sys}/module/*/initstate r,
  @{sys}/module/compression r,
--- a/apparmor.d/groups/systemd/systemd-remount-fs
+++ b/apparmor.d/groups/systemd/systemd-remount-fs
@ -23,6 +23,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) {
  @{bin}/mount rix,
  /etc/blkid.conf r,
  /etc/fstab r,
  @{run}/host/container-manager r,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -60,6 +60,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/systemctl        rCx -> systemctl,
  @{bin}/systemd-run      rix,
  @{bin}/unshare          rix,
  @{bin}/vmmouse_detect   rPUx,
  @{lib}/crda/*                            rPUx,
  @{lib}/gdm-runtime-config                rPx,
--- a/apparmor.d/groups/utils/df
+++ b/apparmor.d/groups/utils/df
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/df
-profile df @{exec_path} {
+profile df @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -26,12 +26,12 @@ profile cockpit-bridge @{exec_path} {
  ptrace read,
  signal send set=term peer=cockpit-bridge//sudo,
  signal send set=term peer=cockpit-pcp,
  signal send set=term peer=dbus-daemon,
  signal send set=term peer=journalctl,
  signal send set=term peer=ssh-agent,
  signal send set=term peer=unconfined,
  signal (send receive) set=term peer=cockpit-bridge//sudo,
  @{exec_path} mr,
--- a/apparmor.d/profiles-a-f/atd
+++ b/apparmor.d/profiles-a-f/atd
@ -20,9 +20,9 @@ profile atd @{exec_path} {
  capability setuid,
  capability sys_resource,
-  signal (receive) set=hup peer=at,
+  signal receive set=hup peer=at,
-  ptrace (read) peer=unconfined,
+  ptrace read peer=unconfined,
  @{exec_path} mr,
--- a/apparmor.d/profiles-g-l/hostname
+++ b/apparmor.d/profiles-g-l/hostname
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname}
-profile hostname @{exec_path} {
+profile hostname @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
@ -22,6 +22,8 @@ profile hostname @{exec_path} {
  @{exec_path} mr,
  owner /dev/tty@{int} rw,
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  include if exists <local/hostname>
--- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
+++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{lib}/needrestart/apt-pinvoke
-profile needrestart-apt-pinvoke @{exec_path} {
+profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
@ -24,6 +24,8 @@ profile needrestart-apt-pinvoke @{exec_path} {
  @{run}/needrestart/{,**} rw,
  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
  include if exists <local/needrestart-apt-pinvoke>
 }
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -15,8 +15,13 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
  capability dac_read_search,
  capability sys_admin,
  mount options=(rprivate, rw)      -> /,
  mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/,
  umount /var/lib/os-prober/mount/,
  mqueue (read getattr) type=posix /,
  @{exec_path} mrix,
  @{sh_path}               rix,
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -69,6 +69,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  @{bin}/fc-cache                    rPx,
  @{bin}/glib-compile-schemas        rPx,
  @{bin}/install-info                rPx,
  @{bin}/rpm                        rPUx, #aa:only opensuse
  @{bin}/rpmdb2solv                 rPUx, #aa:only opensuse
  @{bin}/systemd-inhibit             rPx,
  @{bin}/update-desktop-database     rPx,
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@ -25,6 +25,7 @@ profile remmina @{exec_path} {
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
  network inet stream,
@ -35,16 +36,20 @@ profile remmina @{exec_path} {
  #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
-  @{exec_path} r,
+  @{exec_path} rm,
  @{open_path} rPx -> child-open-browsers,
  /usr/share/remmina/{,**} r,
  /usr/share/themes/{,**} r,
-  /etc/timezone r,
+  /etc/fstab r,
  /etc/ssh/ssh_config r,
  /etc/ssh/ssh_config.d/{,*} r,
  /etc/timezone r,
-  owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
+  owner @{HOME}/@{XDG_SSH_DIR}/config r,
  owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r,
  owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw,
  owner @{user_cache_dirs}/remmina/{,**} rw,
--- a/apparmor.d/profiles-s-z/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@ -20,6 +20,7 @@ profile signal-desktop @{exec_path} {
  include <abstractions/bus/org.freedesktop.ScreenSaver>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/common/electron>
  include <abstractions/devices-usb-read>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/user-download-strict>
--- a/apparmor.d/profiles-s-z/ss
+++ b/apparmor.d/profiles-s-z/ss
@ -24,8 +24,8 @@ profile ss @{exec_path} {
  /etc/iproute2/{,**} r,
-  owner @{tmp}/*.ss     rw,
+  owner @{tmp}/*.ss rw,
-  owner @{HOME}/*.ss  rw,
+  owner @{HOME}/*.ss rw,
  @{sys}/fs/cgroup/{,**/} r,