feat(profile): general update.

2025-03-14 21:59:55 +01:00 · 2025-03-14 21:59:55 +01:00 · cfccb7894d
commit cfccb7894d
parent 24b1c816e5
19 changed files with 54 additions and 24 deletions
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/netplan/netplan.script
 profile netplan.script @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>
  include <abstractions/python>

  @{exec_path} mr,
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@ -88,7 +88,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
    @{bin}/xtables-nft-multi rix,

    /etc/iproute2/rt_tables r,
-    /etc/iproute2/rt_tables.d/ r,
+    /etc/iproute2/rt_tables.d/{,*} r,

    include if exists <local/openvpn_update-resolv>
  }
--- a/apparmor.d/groups/network/wg
+++ b/apparmor.d/groups/network/wg
@ -7,8 +7,9 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/wg
-profile wg @{exec_path} {
+profile wg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>

  capability net_admin,
  capability net_bind_service,
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@ -7,8 +7,9 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/wg-quick
-profile wg-quick @{exec_path} {
+profile wg-quick @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability dac_read_search,
  capability net_admin,
@ -20,13 +21,16 @@ profile wg-quick @{exec_path} {
  @{sh_path}                rix,
  @{bin}/cat                rix,
  @{bin}/ip                 rPx,
+  @{bin}/mv                 rix,
  @{bin}/nft                rix,
  @{bin}/readlink           rix,
  @{bin}/resolvconf         rPx,
-  @{bin}/resolvectl        rPUx,
+  @{bin}/resolvectl         rPx,
+  @{bin}/rm                 rix,
  @{bin}/sort               rix,
  @{bin}/stat               rix,
-  @{bin}/sysctl             rix,
+  @{bin}/sync               rix,
+  @{bin}/sysctl             rCx -> sysctl,
  @{bin}/wg                 rPx,
  @{bin}/xtables-nft-multi  rix,

@ -35,16 +39,21 @@ profile wg-quick @{exec_path} {
  /etc/iproute2/group  r,
  /etc/iproute2/rt_realms r,
  /etc/resolvconf/interface-order r,
-  /etc/wireguard/*.conf r,
+  /etc/wireguard/{,**} rw,

  @{sys}/module/wireguard r,

+  @{PROC}/@{pid}/net/ip_tables_names r,
+
+  profile sysctl flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    @{bin}/sysctl mr,
+
    @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,

-  /dev/tty rw,
-
-  # Force the use as root
-  deny @{bin}/sudo x,
+    include if exists <local/wg-quick_sysctl>
+  }

  include if exists <local/wg-quick>
 }
--- a/apparmor.d/groups/snap/snap
+++ b/apparmor.d/groups/snap/snap
@ -10,7 +10,7 @@ include <tunables/global>
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}

@{exec_path} = @{bin_dirs}/snap
-profile snap @{exec_path} {
+profile snap @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@ -15,8 +15,6 @@ profile hostnamectl @{exec_path} {

  capability net_admin,

-  unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system,
-
  #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed

  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@ -24,6 +24,9 @@ profile systemd-modules-load @{exec_path} flags=(attach_disconnected) {
  /etc/modules-load.d/ r,
  /etc/modules-load.d/*.conf r,

+  @{run}/modprobe.d/ r,
+  @{run}/modprobe.d/*.conf r,
+
  @{sys}/devices/@{pci}/config r,
  @{sys}/module/*/initstate r,
  @{sys}/module/compression r,
--- a/apparmor.d/groups/systemd/systemd-remount-fs
+++ b/apparmor.d/groups/systemd/systemd-remount-fs
@ -23,6 +23,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) {

  @{bin}/mount rix,

+  /etc/blkid.conf r,
  /etc/fstab r,

  @{run}/host/container-manager r,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -60,6 +60,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/systemctl        rCx -> systemctl,
  @{bin}/systemd-run      rix,
  @{bin}/unshare          rix,
+  @{bin}/vmmouse_detect   rPUx,

  @{lib}/crda/*                            rPUx,
  @{lib}/gdm-runtime-config                rPx,
--- a/apparmor.d/groups/utils/df
+++ b/apparmor.d/groups/utils/df
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/df
-profile df @{exec_path} {
+profile df @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>

--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -26,12 +26,12 @@ profile cockpit-bridge @{exec_path} {

  ptrace read,

-  signal send set=term peer=cockpit-bridge//sudo,
  signal send set=term peer=cockpit-pcp,
  signal send set=term peer=dbus-daemon,
  signal send set=term peer=journalctl,
  signal send set=term peer=ssh-agent,
  signal send set=term peer=unconfined,
+  signal (send receive) set=term peer=cockpit-bridge//sudo,

  @{exec_path} mr,

--- a/apparmor.d/profiles-a-f/atd
+++ b/apparmor.d/profiles-a-f/atd
@ -20,9 +20,9 @@ profile atd @{exec_path} {
  capability setuid,
  capability sys_resource,

-  signal (receive) set=hup peer=at,
+  signal receive set=hup peer=at,

-  ptrace (read) peer=unconfined,
+  ptrace read peer=unconfined,

  @{exec_path} mr,

--- a/apparmor.d/profiles-g-l/hostname
+++ b/apparmor.d/profiles-g-l/hostname
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname}
-profile hostname @{exec_path} {
+profile hostname @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
@ -22,6 +22,8 @@ profile hostname @{exec_path} {

  @{exec_path} mr,

+  owner /dev/tty@{int} rw,
+
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <local/hostname>
--- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
+++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{lib}/needrestart/apt-pinvoke
-profile needrestart-apt-pinvoke @{exec_path} {
+profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
@ -24,6 +24,8 @@ profile needrestart-apt-pinvoke @{exec_path} {

  @{run}/needrestart/{,**} rw,

+  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
+
  include if exists <local/needrestart-apt-pinvoke>
 }

--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -15,8 +15,13 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
  capability dac_read_search,
  capability sys_admin,

+  mount options=(rprivate, rw)      -> /,
+  mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/,
+
  umount /var/lib/os-prober/mount/,

+  mqueue (read getattr) type=posix /,
+
  @{exec_path} mrix,

  @{sh_path}               rix,
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -69,6 +69,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  @{bin}/fc-cache                    rPx,
  @{bin}/glib-compile-schemas        rPx,
  @{bin}/install-info                rPx,
+  @{bin}/rpm                        rPUx, #aa:only opensuse
  @{bin}/rpmdb2solv                 rPUx, #aa:only opensuse
  @{bin}/systemd-inhibit             rPx,
  @{bin}/update-desktop-database     rPx,
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@ -25,6 +25,7 @@ profile remmina @{exec_path} {
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
+  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>

  network inet stream,
@ -35,16 +36,20 @@ profile remmina @{exec_path} {
  #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"

-  @{exec_path} r,
+  @{exec_path} rm,
+
+  @{open_path} rPx -> child-open-browsers,

  /usr/share/remmina/{,**} r,
  /usr/share/themes/{,**} r,

-  /etc/timezone r,
+  /etc/fstab r,
  /etc/ssh/ssh_config r,
  /etc/ssh/ssh_config.d/{,*} r,
+  /etc/timezone r,

-  owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
+  owner @{HOME}/@{XDG_SSH_DIR}/config r,
+  owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r,

  owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw,
  owner @{user_cache_dirs}/remmina/{,**} rw,
--- a/apparmor.d/profiles-s-z/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@ -20,6 +20,7 @@ profile signal-desktop @{exec_path} {
  include <abstractions/bus/org.freedesktop.ScreenSaver>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
  include <abstractions/common/electron>
+  include <abstractions/devices-usb-read>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/user-download-strict>