feat(profiles): general update.

2022-06-25 00:16:05 +01:00 · 2022-06-25 00:16:05 +01:00 · fcbe764ccf
commit fcbe764ccf
parent e942c057bd
36 changed files with 154 additions and 74 deletions
--- a/apparmor.d/groups/ubuntu/apt-esm-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-hook
@ -14,7 +14,7 @@ profile apt-esm-hook @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/dpkg  rPx,
+  /{usr/,}bin/dpkg  rPx -> child-dpkg,

  /etc/machine-id r,

--- a/apparmor.d/groups/ubuntu/list-oem-metapackages
+++ b/apparmor.d/groups/ubuntu/list-oem-metapackages
@ -15,8 +15,8 @@ profile list-oem-metapackages @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/dpkg                                    rPx,
-  /{usr/,}bin/ischroot                                rix,
+  /{usr/,}bin/dpkg         rPx -> child-dpkg,
+  /{usr/,}bin/ischroot     rix,

  /etc/machine-id r,

--- a/apparmor.d/groups/ubuntu/packagekitd
+++ b/apparmor.d/groups/ubuntu/packagekitd
@ -53,7 +53,7 @@ profile packagekitd @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/dpkg  rPx,
+  /{usr/,}bin/dpkg  rPx -> child-dpkg,

  /usr/share/dpkg/tupletable r,
  /usr/share/dpkg/cputable r,
--- a/apparmor.d/groups/ubuntu/release-upgrade-motd
+++ b/apparmor.d/groups/ubuntu/release-upgrade-motd
@ -12,10 +12,14 @@ profile release-upgrade-motd @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/date        rix,
-  /{usr/,}bin/expr        rix,
-  /{usr/,}bin/stat        rix,
+  /{usr/,}bin/{,ba,da}sh          rix,
+  /{usr/,}bin/date                rix,
+  /{usr/,}bin/expr                rix,
+  /{usr/,}bin/stat                rix,
+  /{usr/,}bin/do-release-upgrade  rPx,
+
+  /var/lib/ubuntu-release-upgrader/release-upgrade-available rw,
+

  include if exists <local/release-upgrade-motd>
 }
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@ -14,7 +14,7 @@ profile ubuntu-report @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/dpkg rPx,
+  /{usr/,}bin/dpkg  rPx -> child-dpkg,

  owner @{user_cache_dirs}/ubuntu-report/{,*} r,

--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -16,6 +16,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
@ -25,9 +26,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
+  network netlink raw,

  dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*}
-       interface={org.debian{,.apt},org.freedesktop.DBus.{Introspectable,Properties}}
+       interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}}
       member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll},

  dbus send bus=system path=/org/freedesktop/DBus
@ -46,9 +48,13 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.login[0-9].Manager
       member=Inhibit,

+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=StateChanged,
+
  @{exec_path} mr,

-  /{usr/,}bin/dpkg                  rPx,
+  /{usr/,}bin/dpkg                  rPx -> child-dpkg,
  /{usr/,}bin/hwe-support-status    rPx,
  /{usr/,}bin/ischroot              rix,
  /{usr/,}bin/lsb_release           rPx -> lsb_release,
@ -56,12 +62,11 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/uname                 rix,
  /{usr/,}lib/apt/methods/http{,s}  rPx,

-  /usr/share/applications/{,**} r,
  /usr/share/distro-info/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
-  /usr/share/pixmaps/{,*} r,
+  /usr/share/themes/{,**} r,
  /usr/share/ubuntu-release-upgrader/{,**} r,
+  /usr/share/ubuntu/applications/{,**} r,
  /usr/share/update-manager/{,**} r,
  /usr/share/X11/{,**} r,

@ -83,6 +88,10 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/inhibit/*.ref w,

  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+        @{PROC}/@{pids}/mountinfo r,
+
+  /dev/ptmx rw,

  include if exists <local/update-manager>
 }
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -25,7 +25,7 @@ profile update-notifier @{exec_path} {
  /{usr/,}bin/ischroot                                rix,
  /{usr/,}bin/nice                                    rix,

-  /{usr/,}bin/dpkg                                    rPx,
+  /{usr/,}bin/dpkg                                    rPx -> child-dpkg,
  /{usr/,}bin/lsb_release                             rPx -> lsb_release,
  /{usr/,}bin/pkexec                                  rPx,
  /{usr/,}bin/systemctl                               rPx -> child-systemctl,