diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf index c21974212..1d9a6d145 100644 --- a/apparmor.d/abstractions/common/debconf +++ b/apparmor.d/abstractions/common/debconf @@ -9,11 +9,18 @@ include include + @{sh_path} rix, + @{bin}/locale ix, + @{bin}/whiptail Px, + /usr/share/debconf/frontend rix, /usr/share/debconf/confmodule r, /etc/debconf.conf r, + /var/ r, + /var/cache/ r, + /var/cache/debconf/ r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, include if exists diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 5ec13fcff..a8f7057e7 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -20,9 +20,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, @{bin}/hostname ix, - @{bin}/locale ix, @{bin}/lsb_release Px -> lsb_release, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, @@ -32,7 +30,6 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @{bin}/ucf Px, - @{bin}/whiptail Px, @{sbin}/aspell-autobuildhash Px, @{sbin}/pam-auth-update Px, @{lib}/tasksel/tasksel-debconf Px -> tasksel, @@ -45,7 +42,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { # Package maintainer's scripts /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, # DKMS scipts @{lib}/dkms/common.postinst rPUx, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 9de0ce0b4..73b14390a 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -10,11 +10,9 @@ include profile dpkg-script-apparmor @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, @{bin}/grep ix, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 52c74c192..d6a8db473 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -13,10 +13,7 @@ profile dpkg-script-linux @{exec_path} { @{exec_path} mrix, - @{sh_path} rix, @{bin}/cat ix, - @{bin}/locale ix, - @{bin}/mkdir ix, @{bin}/mkdir ix, @{bin}/rm ix, @{bin}/run-parts ix, @@ -26,7 +23,6 @@ profile dpkg-script-linux @{exec_path} { @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 713f2981f..4acafd139 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -10,12 +10,9 @@ include profile dpkg-script-systemd @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e765b334c..f1c56bd49 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -31,7 +31,6 @@ profile dpkg-scripts @{exec_path} { @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, - @{bin}/locale ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 310138595..f09ba540d 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -13,10 +13,9 @@ profile grub-check-signatures @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/mktemp rix, - @{bin}/od rix, + @{bin}/{m,g,}awk ix, + @{bin}/mktemp ix, + @{bin}/od ix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 40eb26b93..04d2f0330 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -14,12 +14,7 @@ profile linux-check-removal @{exec_path} { @{exec_path} rmix, - @{sh_path} rix, @{bin}/stty rix, - @{bin}/locale rix, - @{bin}/whiptail rPx, - - audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c2bc8b2b6..5d5e76ed5 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -40,7 +40,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, - /usr/share/debconf/frontend rix, + /usr/share/debconf/frontend rCx -> debconf, /etc/debconf.conf r, /etc/init.d/* r, @@ -97,6 +97,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 655ed9d40..aff011389 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -10,56 +10,18 @@ include @{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include - include + include @{exec_path} mr, - @{bin}/md5sum rix, - @{bin}/cp rix, + @{bin}/md5sum ix, + @{bin}/cp ix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/pam.d/* rw, - /var/lib/pam/* rw, /usr/share/pam{,-configs}/{,*} r, + /etc/pam.d/* rw, - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{sbin}/pam-auth-update rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - /etc/shadow r, - - include if exists - } + /var/lib/pam/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index f4900f225..8a33649a0 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -14,9 +14,8 @@ profile tasksel @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, - @{bin}/tempfile rix, - @{lib}/tasksel/tasksel-debconf rix, + @{bin}/tempfile ix, + @{lib}/tasksel/tasksel-debconf ix, @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: @@ -29,13 +28,11 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/tasksel/{,**} r, - owner @{tmp}/file* w, - profile tasksel-tests flags=(complain) { include - @{lib}/tasksel/tests/* r, @{sh_path} rix, + @{lib}/tasksel/tests/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index f8581f532..31a03ef7b 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -14,15 +14,14 @@ profile update-secureboot-policy @{exec_path} { @{exec_path} rm, - @{sh_path} rix, - @{bin}/{,m,g}awk rix, - @{bin}/dpkg-trigger rPx, - @{bin}/find rix, - @{bin}/id rix, - @{bin}/od rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/wc rix, + @{bin}/{,m,g}awk ix, + @{bin}/dpkg-trigger Px, + @{bin}/find ix, + @{bin}/id ix, + @{bin}/od ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/wc ix, / r,