fix(profile): fixes some issues raised by tests.

2025-07-22 23:54:40 +02:00 · 2025-07-22 23:54:40 +02:00 · d8b1d1b4ae
commit d8b1d1b4ae
parent b30abed34f
4 changed files with 35 additions and 22 deletions
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -10,6 +10,7 @@
  # Allow to receive some signals from new well-known profiles
  signal (receive)                           peer=btop,
  signal (receive)                           peer=htop,
+  signal (receive)                           peer=pkill,
  signal (receive)                           peer=sudo,
  signal (receive)                           peer=top,
  signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
--- a/apparmor.d/groups/utils/lsfd
+++ b/apparmor.d/groups/utils/lsfd
@ -11,15 +11,25 @@ profile lsfd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

+  capability bpf,
  capability checkpoint_restore,
  capability dac_read_search,
+  capability net_admin,
  capability sys_admin,
+  capability sys_chroot,
  capability sys_ptrace,
  capability sys_resource,
  capability syslog,

+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 raw,
+  network inet6 stream,
+  network inet6 stream,
  network netlink dgram,
  network netlink raw,
+  network packet dgram,

  ptrace read,
  ptrace trace,
@ -46,12 +56,12 @@ profile lsfd @{exec_path} flags=(attach_disconnected) {
  @{PROC}/@{pid}/mountinfo r,
  @{PROC}/@{pid}/net/* r,
  @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/syscall r,
  @{PROC}/@{pid}/task/ r,
  @{PROC}/devices r,
  @{PROC}/misc r,
  @{PROC}/partitions r,
  @{PROC}/tty/drivers r,
-  owner @{PROC}/@{pid}/syscall r,

  include if exists <local/lsfd>
 }
--- a/apparmor.d/groups/utils/lsipc
+++ b/apparmor.d/groups/utils/lsipc
@ -27,6 +27,8 @@ profile lsipc @{exec_path} {
  @{PROC}/sysvipc/sem r,
  @{PROC}/sysvipc/shm r,

+  /dev/mqueue/ r,
+
  include if exists <local/lsipc>
 }

--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@ -96,11 +96,11 @@ profile mkinitramfs @{exec_path} {
  /var/tmp/ r,
  /var/tmp/mkinitramfs_@{rand6}/** w,
  /var/tmp/modules_@{rand6} rw,
-  owner /var/tmp/mkinitramfs_@{rand6} rw,
-  owner /var/tmp/mkinitramfs_@{rand6}/ rw,
-  owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
-  owner /var/tmp/mkinitramfs-@{rand6} rw,
-  owner /var/tmp/mkinitramfs-*_@{rand6} rw,
+  /var/tmp/mkinitramfs_@{rand6} rw,
+  /var/tmp/mkinitramfs_@{rand6}/ rw,
+  /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
+  /var/tmp/mkinitramfs-@{rand6} rw,
+  /var/tmp/mkinitramfs-*_@{rand6} rw,

  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,