From d4987b5babf6860c06ac2eb0ab8c73e97075d39e Mon Sep 17 00:00:00 2001 From: nobodysu Date: Tue, 18 Oct 2022 21:06:50 +0300 Subject: [PATCH] Read-only root compatibility --- apparmor.d/groups/network/NetworkManager | 10 ++++------ apparmor.d/groups/network/mullvad-daemon | 8 ++++---- apparmor.d/groups/network/tailscaled | 12 ++++++------ apparmor.d/groups/systemd/systemd-timedated | 6 +++--- apparmor.d/groups/systemd/systemd-timesyncd | 4 ++-- apparmor.d/groups/virt/libvirtd | 10 +++++----- apparmor.d/groups/virt/virt-aa-helper | 4 ++-- apparmor.d/profiles-a-f/blkid | 6 +++--- apparmor.d/profiles-a-f/dhclient-script | 10 +++++----- apparmor.d/profiles-g-l/lvm | 4 ++-- apparmor.d/profiles-g-l/lvmconfig | 5 ++--- apparmor.d/profiles-m-r/polipo | 4 ++-- apparmor.d/profiles-m-r/resolvconf | 6 +++--- 13 files changed, 43 insertions(+), 46 deletions(-) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 1f881e3e7..217cc7ee4 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{,s}bin/NetworkManager -profile NetworkManager @{exec_path} flags=(attach_disconnected) { +profile NetworkManager @{exec_path} flags=(complain attach_disconnected) { include include include @@ -104,16 +104,15 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { / r, /etc/ r, - /etc/machine-id r, - /etc/resolv.conf rw, - /etc/resolv.conf.[0-9A-Z]* rw, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.[0-9A-Z]* rw, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, - /var/lib/iwd/*open* rw, + /etc/machine-id r, /var/lib/NetworkManager/{,**} rw, @{sys}/bus/ r, @@ -136,7 +135,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 0b94c533f..7a786deaf 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -7,7 +7,7 @@ abi , include @{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon" -profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { +profile mullvad-daemon @{exec_path} flags=(attach_disconnected complain) { include include @@ -36,8 +36,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { /etc/mullvad-vpn/{,*} r, /etc/mullvad-vpn/*.json rw, - /etc/resolv.conf rw, - /etc/resolv.conf.mullvadbackup rw, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.mullvadbackup rw, /var/cache/mullvad-vpn/{,*} rw, /var/log/mullvad-vpn/{,*} rw, @@ -59,4 +59,4 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { /dev/net/tun rw, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 3bdef0d68..7b523f52c 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{,s}bin/tailscaled -profile tailscaled @{exec_path} flags=(attach_disconnected) { +profile tailscaled @{exec_path} flags=(attach_disconnected complain) { include include include @@ -37,9 +37,9 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { /etc/iproute2/rt_tables r, - /etc/resolv.*.conf rw, - /etc/resolv.conf rw, - /etc/resolv.conf.*.tmp rw, + @{etc_rw}/resolv.*.conf rw, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.*.tmp rw, owner @{run}/tailscale/{,**} rw, owner /var/cache/{,**} rw, @@ -63,7 +63,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { /dev/net/tun rw, - profile systemctl { + profile systemctl flags=(attach_disconnected complain) { include capability mknod, @@ -80,4 +80,4 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { } include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index ddd2c4252..d76562ab1 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-timedated -profile systemd-timedated @{exec_path} flags=(attach_disconnected) { +profile systemd-timedated @{exec_path} flags=(attach_disconnected complain) { include include include @@ -34,8 +34,8 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /dev/rtc[0-9] r, - /etc/.#adjtime* rw, - /etc/adjtime rw, + @{etc_rw}/.#adjtime* rw, + @{etc_rw}/adjtime rw, /etc/.#localtime* rw, /etc/localtime rw, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 2f60b0ab2..56510bc14 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd -profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { +profile systemd-timesyncd @{exec_path} flags=(complain attach_disconnected) { include include include @@ -31,7 +31,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/adjtime r, + @{etc_rw}/adjtime r, /etc/systemd/timesyncd.conf r, /etc/systemd/timesyncd.conf.d/{,**} r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 480b0d7c6..acd613403 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -15,7 +15,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/libvirtd -profile libvirtd @{exec_path} flags=(attach_disconnected) { +profile libvirtd @{exec_path} flags=(attach_disconnected complain) { include include include @@ -132,8 +132,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/mime/mime.cache r, /usr/share/qemu/{,**} r, - /etc/apparmor.d/libvirt/libvirt-@{uuid} r, - /etc/libvirt/{,**} rw, + @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r, + @{etc_rw}/libvirt/{,**} rw, /etc/mdevctl.d/{,**} r, /etc/xml/catalog r, @@ -243,12 +243,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Force the use of virt-aa-helper audit deny /{usr/,}{s,}bin/apparmor_parser rwxl, - audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, - profile qemu_bridge_helper { + profile qemu_bridge_helper flags=(attach_disconnected complain) { include capability net_admin, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 43c8199f4..cc2b841bb 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}lib/libvirt/virt-aa-helper -profile virt-aa-helper @{exec_path} { +profile virt-aa-helper @{exec_path} flags=(complain ) { include include @@ -23,7 +23,7 @@ profile virt-aa-helper @{exec_path} { /{usr/,}{s,}bin/apparmor_parser rPx, /etc/apparmor.d/libvirt/* r, - /etc/apparmor.d/libvirt/libvirt-@{uuid} rw, + @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 1d3735e8f..c7612907f 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/blkid -profile blkid @{exec_path} { +profile blkid @{exec_path} flags=(complain ) { include include include @@ -23,8 +23,8 @@ profile blkid @{exec_path} { @{run}/blkid/blkid.tab{,-*} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, # When the system doesn't have the /run/ dir, the cache file is placed under /etc/ - /etc/blkid.tab{,-*} rw, - /etc/blkid.tab.old rwl -> /etc/blkid.tab, + @{etc_rw}/blkid.tab{,-*} rw, + @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab, # For the EVALUATE=scan method @{PROC}/partitions r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 2984b0e58..49610d7b4 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -8,7 +8,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/dhclient-script -profile dhclient-script @{exec_path} { +profile dhclient-script @{exec_path} flags=(complain ) { include include include @@ -50,9 +50,9 @@ profile dhclient-script @{exec_path} { /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, - /etc/resolv.conf rw, - /etc/resolv.conf.dhclient-new.@{pid} rw, - /etc/samba/dhcp.conf{,.new} rw, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -68,7 +68,7 @@ profile dhclient-script @{exec_path} { owner @{PROC}/@{pid}/loginuid r, @{PROC}/sys/net/ipv6/conf/*/stable_secret w, - profile run-parts { + profile run-parts flags=(complain ) { include /{usr/,}bin/run-parts mr, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index 1d5ccac2e..994067a00 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/lvm -profile lvm @{exec_path} { +profile lvm @{exec_path} flags=(complain) { include include include @@ -19,7 +19,7 @@ profile lvm @{exec_path} { @{exec_path} rm, - /etc/lvm/** r, + @{etc_rw}/lvm/** r, @{run}/lvm/** rwk, @{run}/lock/lvm/* rwk, diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig index 3172a4575..b6a20be8f 100644 --- a/apparmor.d/profiles-g-l/lvmconfig +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -7,14 +7,13 @@ abi , include @{exec_path} = /{usr/,}{s,}bin/lvmconfig -profile lvmconfig @{exec_path} { +profile lvmconfig @{exec_path} flags=(complain) { include include @{exec_path} rm, - /etc/lvm/** rw, + @{etc_rw}/lvm/** rw, include if exists } - diff --git a/apparmor.d/profiles-m-r/polipo b/apparmor.d/profiles-m-r/polipo index e2d9a0c33..cd840559f 100644 --- a/apparmor.d/profiles-m-r/polipo +++ b/apparmor.d/profiles-m-r/polipo @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/polipo -profile polipo @{exec_path} { +profile polipo @{exec_path} flags=(complain ) { include @{exec_path} mr, @@ -22,7 +22,7 @@ profile polipo @{exec_path} { owner @{HOME}/.polipo-cache/{,*} rw, # Nameservice - /etc/resolv.conf r, + @{etc_rw}/resolv.conf r, include if exists } diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index d5b5fdb8c..feddad0a8 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}sbin/resolvconf -profile resolvconf @{exec_path} { +profile resolvconf @{exec_path} flags=(complain) { include include @@ -26,7 +26,7 @@ profile resolvconf @{exec_path} { /usr/lib/resolvconf/{,**} r, - /etc/resolv.conf rw, + @{etc_rw}/resolv.conf rw, /etc/resolvconf/{,**} r, /etc/resolvconf/update.d/libc rix, @@ -36,4 +36,4 @@ profile resolvconf @{exec_path} { /dev/tty rw, include if exists -} \ No newline at end of file +}