From 035e1da7b205798df14468333ce43a491889f7e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 15 Jun 2024 16:40:11 +0100 Subject: [PATCH] feat(abs): add udevadm app abstraction. --- apparmor.d/abstractions/app/udevadm | 26 +++++++++++++++++++ .../groups/display-manager/x11-xsession | 13 +--------- apparmor.d/groups/network/netplan.script | 6 +---- apparmor.d/profiles-a-f/f3fix | 22 +++------------- apparmor.d/profiles-a-f/fatresize | 22 +++------------- apparmor.d/profiles-g-l/gparted | 8 +----- apparmor.d/profiles-g-l/gpartedbin | 18 ++----------- apparmor.d/profiles-g-l/hw-probe | 14 ++-------- apparmor.d/profiles-g-l/hwinfo | 16 ++---------- apparmor.d/profiles-g-l/inxi | 10 +------ apparmor.d/profiles-m-r/parted | 20 +++----------- apparmor.d/profiles-m-r/partprobe | 22 +++------------- apparmor.d/profiles-s-z/sensors-detect | 8 +----- apparmor.d/profiles-s-z/xinit | 24 +---------------- 14 files changed, 51 insertions(+), 178 deletions(-) create mode 100644 apparmor.d/abstractions/app/udevadm diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm new file mode 100644 index 00000000..1c36ea8b --- /dev/null +++ b/apparmor.d/abstractions/app/udevadm @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + ptrace read peer=@{p_systemd}, + + @{bin}/udevadm mr, + + /etc/udev/udev.conf r, + + @{run}/udev/data/* r, + + @{sys}/** r, + + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, + + include if exists + +# vim:syntax=apparmor \ No newline at end of file diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index bafc9a31..39169eaf 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -139,18 +139,7 @@ profile x11-xsession @{exec_path} { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - @{run}/udev/data/* r, + include include if exists } diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index b72b5c8a..dacb3711 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -34,11 +34,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, + include @{run}/udev/control rw, @{run}/udev/rules.d/90-netplan.rules rw, diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index f31f6cfe..307e3270 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -37,26 +37,12 @@ profile f3fix @{exec_path} { profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - # file_inherit - /dev/sd[a-z]* rw, + ptrace read, + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 08d5124a..261aea0e 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -36,26 +36,10 @@ profile fatresize @{exec_path} { profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - # file_inherit - /dev/{s,v}d[a-z]* rw, - + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index 1e6be52c..ca42f466 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -60,16 +60,10 @@ profile gparted @{exec_path} { profile udevadm { include - include + include - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/** r, @{sys}/devices/virtual/block/**/uevent rw, @{sys}/devices/@{pci}/block/**/uevent rw, - @{run}/udev/data/* r, include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index ede60499..dc3b1fe1 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -132,24 +132,10 @@ profile gpartedbin @{exec_path} { profile udevadm { include + include include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/stat r, - - /dev/mapper/control rw, - + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 8c179e0d..be591613 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -163,19 +163,9 @@ profile hw-probe @{exec_path} { include if exists } - profile udevadm { + profile udevadm flags=(attach_disconnected) { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, + include include if exists } diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 277ce6e7..23cb006c 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -92,23 +92,11 @@ profile hwinfo @{exec_path} { profile udevadm { include + include - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/sys/kernel/osrelease r, - - @{sys}/** r, - @{run}/udev/data/* r, - - # file_inherit owner @{tmp}/hwinfo*.txt rw, + include if exists } include if exists diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 9f563229..bc59dedb 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -138,15 +138,7 @@ profile inxi @{exec_path} { profile udevadm { include - include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{run}/udev/data/b* r, - - @{sys}/devices/@{pci}/block/**/uevent r, + include include if exists } diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index c403e701..2b02eb39 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -48,26 +48,12 @@ profile parted @{exec_path} { profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/stat r, - - # file_inherit - include # lots of files in this abstraction get inherited owner @{user_img_dirs}/{,**} rwk, + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index d1fade82..3138c13e 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -43,26 +43,10 @@ profile partprobe @{exec_path} { profile udevadm { include + include + include - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, - @{PROC}/1/environ r, - @{PROC}/1/cgroup r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - # file_inherit - include # lots of files in this abstraction get inherited - /dev/mapper/control rw, - + include if exists } include if exists diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 820c31d1..6fcc6cac 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -41,13 +41,7 @@ profile sensors-detect @{exec_path} { profile udevadm { include - include - - capability sys_ptrace, - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, + include include if exists } diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 03ec3ff9..a789cc90 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -92,29 +92,7 @@ profile xinit @{exec_path} { profile udevadm { include - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - @{run}/udev/data/* r, - - @{sys}/bus/ r, - @{sys}/bus/*/devices/ r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - - @{PROC}/1/environ r, - @{PROC}/1/sched r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/stat r, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, + include include if exists }