update apparmor profiles

Co-authored-by: Mikhail Morfikov <mmorfikov@gmail.com> Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2022-02-27 01:22:35 +00:00 · 2022-02-27 01:22:35 +00:00 · d701e39939
commit d701e39939
parent b0690c0e55
201 changed files with 540 additions and 608 deletions
--- a/apparmor.d/profiles-g-l/ifup
+++ b/apparmor.d/profiles-g-l/ifup
@ -23,14 +23,20 @@ profile ifup @{exec_path} {
  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/ip         rix,
  /{usr/,}bin/sleep      rix,
+  /{usr/,}bin/seq        rix,

  /{usr/,}{s,}bin/dhclient  rPx,
  /{usr/,}bin/macchanger rPx,

+  /{usr/,}lib/ifupdown/*.sh rix,
+
  /{usr/,}bin/run-parts  rCx -> run-parts,
+  /{usr/,}bin/kmod       rCx -> kmod,
+  /{usr/,}sbin/sysctl    rCx -> sysctl,

  /etc/network/interfaces r,
  /etc/network/interfaces.d/{,*} r,
+  /etc/iproute2/rt_scopes r,

  @{run}/network/ rw,
  @{run}/network/{.,}ifstate* rwk,
@ -82,5 +88,37 @@ profile ifup @{exec_path} {

  }

+  profile kmod {
+    include <abstractions/base>
+
+    /{usr/,}bin/kmod mr,
+
+    @{sys}/module/** r,
+
+    @{PROC}/cmdline r,
+    @{PROC}/modules r,
+
+    /etc/modprobe.d/ r,
+    /etc/modprobe.d/*.conf r,
+
+  }
+
+  profile sysctl {
+    include <abstractions/base>
+
+#    capability mac_admin,
+#    capability sys_admin,
+#    capability sys_resource,
+
+    /{usr/,}sbin/sysctl mr,
+
+    @{PROC}/sys/ r,
+    @{PROC}/sys/** r,
+
+    @{PROC}/sys/net/ipv6/conf/*/accept_ra rw,
+    @{PROC}/sys/net/ipv6/conf/*/autoconf rw,
+
+  }
+
  include if exists <local/ifup>
 }