felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update network profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-11 23:10:19 +02:00
parent fecb4dbca6
commit d0657d2c26
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
5 changed files with 57 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

30
apparmor.d/groups/network/NetworkManager
View file

@ -48,6 +48,23 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
#aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
#aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=@{busname}),
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=@{busname}, label=gnome-control-center),
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=@{busname}, label=nm-online),
dbus send bus=system path=/org/freedesktop/nm_dispatcher dbus send bus=system path=/org/freedesktop/nm_dispatcher
interface=org.freedesktop.nm_dispatcher interface=org.freedesktop.nm_dispatcher
member=Action2 member=Action2
@ -63,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
member={InterfacesAdded,InterfacesRemoved} member={InterfacesAdded,InterfacesRemoved}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus receive bus=system path=/
interface=org.freedesktop.DBus.Introspectable
member=Introspect
peer=(name=@{busname}, label=cockpit-bridge),
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@ -84,9 +106,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
/usr/share/netplan/netplan.script rPx, /usr/share/netplan/netplan.script rPx,
@{lib}/netplan/@{int2}-network-manager-all.yaml w,
/usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
/usr/share/iproute2/{,**} r, /usr/share/iproute2/{,**} r,
/etc/netplan/ r,
/etc/netplan/90-NM-@{uuid}.yaml r,
@{att}/ r, @{att}/ r,
/etc/ r, /etc/ r,
@ -110,7 +137,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
@{sys}/class/rfkill/ r, @{sys}/class/rfkill/ r,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/systemd/resolve/io.systemd.Resolve rw,
@{run}/netplan/ r,
@{run}/network/ifstate r, @{run}/network/ifstate r,
@{run}/NetworkManager/{,**} rw, @{run}/NetworkManager/{,**} rw,
@{run}/nm-*.pid rw, @{run}/nm-*.pid rw,
@ -135,6 +164,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/net/tun rw,
/dev/rfkill rw, /dev/rfkill rw,
profile systemctl { profile systemctl {

9
apparmor.d/groups/network/netplan
View file

@ -9,9 +9,12 @@ include <tunables/global>
@{exec_path} = /usr/share/netplan/netplan.script @{exec_path} = /usr/share/netplan/netplan.script
profile netplan @{exec_path} flags=(attach_disconnected) { profile netplan @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
#aa;dbus owb bus=system name=io.netplan.Netplan
@{exec_path} mr, @{exec_path} mr,
@{lib}/netplan/generate rPx, @{lib}/netplan/generate rPx,
@ -20,6 +23,8 @@ profile netplan @{exec_path} flags=(attach_disconnected) {
/usr/share/netplan/{,**} r, /usr/share/netplan/{,**} r,
/etc/netplan/{,*} r,
@{run}/netplan/ r, @{run}/netplan/ r,
profile udevadm { profile udevadm {
@ -42,6 +47,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
ptrace read peer=@{p_systemd},
@{run}/udev/control rw,
include if exists <local/netplan_systemctl> include if exists <local/netplan_systemctl>
} }

2
apparmor.d/groups/network/netplan-generate
View file

@ -26,6 +26,8 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) {
@{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/ rw,
@{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw,
@{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw,
@{run}/NetworkManager/conf.d/netplan.conf rw,
@{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw,
@{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/ rw,
@{run}/NetworkManager/system-connections/* rw, @{run}/NetworkManager/system-connections/* rw,

14
apparmor.d/groups/network/nmcli
View file

@ -16,11 +16,25 @@ profile nmcli @{exec_path} {
capability sys_nice, capability sys_nice,
#aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesAdded
peer=(name=@{busname}, label=NetworkManager),
dbus receive bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=InterfacesRemoved
peer=(name=@{busname}, label=NetworkManager),
dbus send bus=system path=/org/freedesktop
interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects
peer=(name=@{busname}, label=NetworkManager),
@{exec_path} mr, @{exec_path} mr,
@{pager_path} rPx -> child-pager, @{pager_path} rPx -> child-pager,
/etc/netplan/* r,
owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.nm-vpngate/*.ovpn r,
owner @{HOME}/.cert/nm-openvpn/*.pem rw, owner @{HOME}/.cert/nm-openvpn/*.pem rw,

2
apparmor.d/groups/network/openvpn
View file

@ -66,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/net/route r, owner @{PROC}/@{pid}/net/route r,
/dev/net/tun rw,
profile update-resolv { profile update-resolv {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>