feat(profiles): first set of rules for Ubuntu Core support.

2023-02-19 18:22:18 +00:00 · 2023-02-19 18:22:18 +00:00 · ef292b585c
commit ef292b585c
parent 1316e0ddde
27 changed files with 351 additions and 92 deletions
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -12,10 +12,20 @@ profile snap @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
+  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>

+  capability sys_admin,
+
  unix (send, receive) type=stream peer=(label=apt),

+  mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-[0-9]*/,
+
+  dbus (send, receive) bus=session path=/org/freedesktop/
+         interface=org.freedesktop.systemd1.Manager
+         member={StartTransientUnit,JobRemoved}
+         peer=(name=:*, label=unconfined),
+
  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
       member=GetMountPoint
@ -23,6 +33,8 @@ profile snap @{exec_path} {

  @{exec_path} mrix,

+  /{usr/,}bin/mount rix,
+
  /{usr/,}bin/systemctl        rPx -> child-systemctl,

  /snap/{,**} rw,
@ -34,27 +46,34 @@ profile snap @{exec_path} {

  /var/lib/snapd/{,**} rwk,
  /var/cache/snapd/commands.db rwk,
+  /var/cache/snapd/names r,

-  owner @{HOME}/snap/{,**} rw,
+  @{HOME}/snap/{,**} rw,
+
+  owner /tmp/snapd-auto-import-mount-[0-9]*/ rw,

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
  owner @{run}/user/@{uid}/systemd/notify rw,

+  @{run}/mount/utab r,
  @{run}/snapd.socket rw,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/features/ r,

-  owner @{PROC}/@{pids}/mountinfo r,
-        @{PROC}/@{pids}/cgroup r,
-        @{PROC}/cgroups r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/random/boot_id r,
-        @{PROC}/sys/kernel/random/uuid r,
-        @{PROC}/sys/kernel/seccomp/actions_avail r,
-        @{PROC}/version r,
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/mountinfo r,
+  @{PROC}/cgroups r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/random/boot_id r,
+  @{PROC}/sys/kernel/random/uuid r,
+  @{PROC}/sys/kernel/seccomp/actions_avail r,
+  @{PROC}/version r,
+
+  /dev/tty[0-9]* rw,
+  /dev/ttyS[0-9]* rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,

--- a/apparmor.d/profiles-s-z/snap-device-helper
+++ b/apparmor.d/profiles-s-z/snap-device-helper
@ -11,6 +11,7 @@ profile snap-device-helper @{exec_path} {
  include <abstractions/base>

  capability bpf,
+  capability dac_read_search,
  capability setgid,
  capability sys_resource,

--- a/apparmor.d/profiles-s-z/snap-discard-ns
+++ b/apparmor.d/profiles-s-z/snap-discard-ns
@ -11,6 +11,11 @@ profile snap-discard-ns @{exec_path} {
  include <abstractions/base>

  capability setgid,
+  capability sys_admin,
+
+  network netlink raw,
+
+  umount @{run}/snapd/ns/*.mnt,

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/snap-update-ns
+++ b/apparmor.d/profiles-s-z/snap-update-ns
@ -14,10 +14,14 @@ profile snap-update-ns @{exec_path} {
  capability sys_admin,
  capability sys_chroot,

+  network netlink raw,
+
  mount -> /snap/**/,
  mount -> /usr/**/,
-  mount /snap/**/ ->  /tmp/.snap/**,
+  mount -> /var/lib/dhcp/,
+  mount /snap/**/ -> /tmp/.snap/**,
  umount /snap/**/,
+  umount /var/lib/dhcp/,

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -38,7 +38,7 @@ profile snapd @{exec_path} {

  mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/,
  umount /tmp/syscheck-mountpoint-[0-9]*/,
-  umount /snap/*/[0-9]*/,
+  umount /snap/*/*/,

  ptrace (read) peer=snap,
  ptrace (read) peer=unconfined,
@ -55,6 +55,13 @@ profile snapd @{exec_path} {

  @{exec_path} mr,

+  /{usr/,}{s,}bin/adduser              rPX,
+  /{usr/,}{s,}bin/groupadd             rPX,
+  /{usr/,}{s,}bin/useradd              rPX,
+  /{usr/,}bin/cloud-init              rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
+  /{usr/,}bin/hostnamectl              rPx,
+  /{usr/,}bin/ssh-keygen               rPx,
+
  /{usr/,}{s,}bin/apparmor_parser      rPx,
  /{usr/,}{s,}bin/runuser              rCx -> runuser,
  /{usr/,}bin/{,ba,da}sh               rix,
@ -82,13 +89,14 @@ profile snapd @{exec_path} {
  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns   rPx,
  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd            rix,

-  /usr/share/bash-completion/completions/{,**} r,
+  /usr/share/bash-completion/{,**} r,
  /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
  /usr/share/dbus-1/services/*snap* r,
  /usr/share/polkit-1/actions/{,**/} r,

  /etc/apparmor.d/*snapd.snap* r,
  /etc/dbus-1/system.d/{,**/} r,
+  /etc/environment r,
  /etc/fstab r,
  /etc/mime.types r,
  /etc/modprobe.d/{,**/} r,
@ -113,19 +121,26 @@ profile snapd @{exec_path} {
  /tmp/syscheck-squashfs-[0-9]* rw,
  /tmp/read-file[0-9]*/{,**} rw,

+
+  /boot/ r,
+  /boot/grub/grubenv r, 
+
  / r,
  /home/ r,
  @{HOME}/ r,
  @{HOME}/snap/{,**} rw,
+  @{HOME}/.snap*/{,**} rw,

  owner @{run}/mount/ rw,
  owner @{run}/mount/utab{,.*} rw,
  owner @{run}/mount/utab.lock wk,

+  @{run}/user/ r,
  @{run}/user/@{uid}/ r,
  @{run}/user/@{uid}/snapd-session-agent.socket rw,
  @{run}/user/snap.*/{,**} rw,

+  @{run}/mnt/ubuntu-seed/EFI/ubuntu/grubenv r,  # only:core
  @{run}/snapd*.socket rw,
  @{run}/snapd/{,**} rw,
  @{run}/snapd/lock/*.lock rwk,
@ -140,6 +155,7 @@ profile snapd @{exec_path} {
  @{sys}/kernel/security/apparmor/features/ r,
  @{sys}/kernel/security/apparmor/profiles r,

+  @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,

        @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -44,15 +44,19 @@ profile sudo @{exec_path} {
       member=CreateSession
       peer=(name=org.freedesktop.login[0-9]),

+  dbus (send receive) bus=session path=/org/freedesktop/systemd1
+         interface=org.freedesktop.systemd.Manager
+         member={JobRemoved,StartTransientUnit},
+
  @{exec_path} mr,

-  /run/ r,
+  @{libexec}/sudo/** mr,

-  @{libexec}/sudo/**                   mr,
-  /{usr/,}bin/{,b,d,rb}ash             rUx,
-  /{usr/,}bin/{c,k,tc,z}sh             rUx,
-  /{usr/,}lib/cockpit/cockpit-askpass  rPx,
-  /{usr/,}lib/molly-guard/molly-guard  rPx,
+  /snap/snapd/[0-9]*/usr/bin/snap        rPx,
+  /{usr/,}bin/{,b,d,rb}ash               rUx,
+  /{usr/,}bin/{c,k,tc,z}sh               rUx,
+  /{usr/,}lib/cockpit/cockpit-askpass    rPx,
+  /{usr/,}lib/molly-guard/molly-guard    rPx,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*} r,
@ -63,6 +67,7 @@ profile sudo @{exec_path} {
  /etc/sudoers.d/{,*} r,

        /var/db/sudo/lectured/ r,
+        /var/lib/extrausers/shadow r,
        /var/lib/sudo/lectured/ r,
        /var/lib/sudo/ts/ rw,
        /var/lib/sudo/ts/* rwk,
@ -72,6 +77,7 @@ profile sudo @{exec_path} {
  owner @{HOME}/.sudo_as_admin_successful rw,
  owner @{HOME}/.xsession-errors w,

+        @{run}/ r,
        @{run}/faillock/{,*} rwk,
        @{run}/resolvconf/resolv.conf r,
  owner @{run}/sudo/ rw,