From d0657d2c26644a386bc0078ec6f83ffebaa1a03e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:10:19 +0200 Subject: [PATCH] feat(profile): update network profiles. --- apparmor.d/groups/network/NetworkManager | 30 ++++++++++++++++++++++ apparmor.d/groups/network/netplan | 9 +++++++ apparmor.d/groups/network/netplan-generate | 2 ++ apparmor.d/groups/network/nmcli | 14 ++++++++++ apparmor.d/groups/network/openvpn | 2 ++ 5 files changed, 57 insertions(+) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f27449e77..2959441c4 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -48,6 +48,23 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=gnome-control-center), + + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=nm-online), + dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action2 @@ -63,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={InterfacesAdded,InterfacesRemoved} peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=cockpit-bridge), + @{exec_path} mr, @{sh_path} rix, @@ -84,9 +106,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, + @{lib}/netplan/@{int2}-network-manager-all.yaml w, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, + /etc/netplan/ r, + /etc/netplan/90-NM-@{uuid}.yaml r, + @{att}/ r, /etc/ r, @@ -110,7 +137,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @@ -135,6 +164,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index 5855131a8..a0fad0a93 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -9,9 +9,12 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan @{exec_path} flags=(attach_disconnected) { include + include include include + #aa;dbus owb bus=system name=io.netplan.Netplan + @{exec_path} mr, @{lib}/netplan/generate rPx, @@ -20,6 +23,8 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /usr/share/netplan/{,**} r, + /etc/netplan/{,*} r, + @{run}/netplan/ r, profile udevadm { @@ -42,6 +47,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + + @{run}/udev/control rw, + include if exists } diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 74ed20aaf..cea17b81c 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -26,6 +26,8 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/conf.d/netplan.conf rw, + @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 6065a12da..b4da14960 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -16,11 +16,25 @@ profile nmcli @{exec_path} { capability sys_nice, #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{pager_path} rPx -> child-pager, + /etc/netplan/* r, + owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index b5a6b83ef..2a513b84e 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -66,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, + /dev/net/tun rw, + profile update-resolv { include include