General update

2025-01-18 00:48:10 +01:00 · 2022-08-01 18:31:32 +02:00 · 2022-08-01 18:31:32 +02:00 · 099a97cb36
commit 099a97cb36
parent 575d781c88
26 changed files with 137 additions and 23 deletions
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@ -82,6 +82,8 @@ profile apt-methods-gpgv @{exec_path} {
  # Local keyring storage
  /etc/apt/keyrings/ r,
  /etc/apt/keyrings/*.{gpg,asc} r,
+  /usr/share/keyrings/ r,
+  /usr/share/keyrings/*.{gpg,asc} r,

  # Extrepo keyring storage
  /var/lib/extrepo/keys/*.{gpg,asc} r,
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -76,6 +76,7 @@ profile dpkg @{exec_path} {
  owner /tmp/apt-dpkg-install-*/ r,

  /var/log/dpkg.log w,
+  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,

  @{run}/systemd/userdb/ r,

--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  dbus receive bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged},
+       member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved},

  @{exec_path} mr,

@ -80,6 +80,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
+  /etc/debian_version r,
+  /etc/dpkg/origins/{debian,ubuntu,} r,
+  /etc/issue{.net,} r,
+  /etc/legal r,
+  /etc/lsb-release r,
+  /etc/profile.d/* r,
+  /etc/update-motd.d/* r,
  /etc/update-manager/{,**} r,
  /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,

--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -20,6 +21,8 @@ profile fc-cache @{exec_path} {
  /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
  /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,

+  /var/tmp/mkinitramfs_*/{**,} rwl,
+
  # Silencer
  deny network inet6 stream,
  deny network inet stream,
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -127,6 +127,13 @@ profile pulseaudio @{exec_path} {
     member=Get
     peer=(name=/org/freedesktop/hostname[0-9]),

+  dbus (send)
+     bus=system
+     path=/org.freedesktop.hostname[0-9]
+     interface=org.freedesktop.DBus.Prope
+     member=Get
+     peer=(name=/org/freedesktop/hostname[0-9]),
+
  @{exec_path} mrix,

  /{usr/,}@{libexec}/pulse/gsettings-helper mrix,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -14,6 +14,8 @@ profile gpg @{exec_path} {
  include <abstractions/user-download-strict>
  include <abstractions/nameservice-strict>

+  capability dac_read_search,
+
  network netlink raw,

  @{exec_path} mrix,
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@ -12,6 +12,8 @@ profile gpgconf @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

+  capability dac_read_search,
+
  @{exec_path} mrix,

  /{usr/,}bin/gpg-connect-agent rPx,
--- a/apparmor.d/groups/gpg/gpgsm
+++ b/apparmor.d/groups/gpg/gpgsm
@ -11,6 +11,8 @@ profile gpgsm @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

+  capability dac_read_search,
+
  @{exec_path} mr,

  deny /usr/bin/.gnupg/ w,
--- a/apparmor.d/groups/grub/grub-editenv
+++ b/apparmor.d/groups/grub/grub-editenv
@ -13,6 +13,8 @@ profile grub-editenv @{exec_path} flags=(complain) {

  @{exec_path} rm,

+  /boot/grub/grubenv rw,
+
  include if exists <local/grub-editenv>
 }

--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -31,6 +31,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects,

+  dbus receive bus=system path=/org/freedesktop/ModemManager[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
       interface=org.freedesktop.PolicyKit[0-9].Authority
       member=Changed,
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -27,7 +27,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/cp                  rix,
  /{usr/,}bin/dd                  rix,
  /{usr/,}bin/find                rix,
-  /{usr/,}bin/findmnt             rix,
+  /{usr/,}bin/findmnt             rPx,
  /{usr/,}bin/fsck                rix,
  /{usr/,}bin/gawk                rix,
  /{usr/,}bin/grep                rix,
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@ -35,6 +35,8 @@ profile child-systemctl flags=(attach_disconnected) {

  /etc/systemd/user/{,**} rwl,

+  @{run}/systemd/private rw,
+
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/1/environ r,
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -11,11 +11,24 @@ include <tunables/global>
 profile systemd-analyze @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
  include <abstractions/systemd-common>

  capability sys_resource,
  capability net_admin,

+  dbus send bus=system path=/org/freedesktop/systemd1
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/systemd1
+      interface=org.freedesktop.systemd1.Manager
+      member=ListUnits,
+
+  dbus send bus=system path=/org/freedesktop/systemd1/unit/*
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+
  signal (send) peer=child-pager,

  network inet dgram,
@ -38,7 +51,10 @@ profile systemd-analyze @{exec_path} {

  owner /tmp/systemd-temporary-*/ rw,

+  @{run}/systemd/generator/ r,
+  @{run}/systemd/private rw,
  @{run}/systemd/system/ r,
+  @{run}/systemd/transient/ r,
  @{run}/systemd/userdb/io.systemd.DynamicUser w,
  @{run}/udev/data/* r,
  @{run}/udev/tags/systemd/ r,
--- a/apparmor.d/groups/ubuntu/update-grub
+++ b/apparmor.d/groups/ubuntu/update-grub
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
 profile update-grub @{exec_path} flags=(complain) {
  include <abstractions/base>
+  include <abstractions/consoles>

  @{exec_path} rm,
  /{usr/,}bin/{,ba,da}sh rix,
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability fsetid,
  capability fowner,
+  capability mknod,
  capability net_admin,
+  capability setfcap,
  capability sys_admin,

  network inet dgram,
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@ -27,7 +27,7 @@ profile k3s @{exec_path} {
  capability sys_resource,

  ptrace peer=@{profile_name},
-  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
+  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},

  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
  # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@ -16,12 +16,32 @@ profile boltd @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/org/freedesktop/DBus
+      interface=org.freedesktop.DBus
+      member=RequestName,
+  
+  dbus receive bus=system path=/org/freedesktop/bolt
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus receive bus=system path=/org/freedesktop/bolt
+      interface=org.freedesktop.bolt1.Manager
+      member=ListDevices,
+  
+  dbus bind bus=system 
+      name=org.freedesktop.bolt,
+
  @{exec_path} mr,

  /var/lib/boltd/{,**} rw,

  owner @{run}/boltd/{,**} rw,

+  @{run}/systemd/notify
  @{run}/systemd/journal/socket w,
  @{run}/udev/data/+thunderbolt:* r,

@ -37,7 +57,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r,
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r,
  @{sys}/devices/platform/**/uevent r,
+  @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

  include if exists <local/boltd>
-}
+}
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,6 +12,7 @@ include <tunables/global>
 profile dkms @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
  include <abstractions/openssl>

  capability dac_read_search,
@ -37,7 +39,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/rmdir      rix,
  /{usr/,}bin/find       rix,
  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/gawk       rix,
+  /{usr/,}bin/{,g,m}awk  rix,
  /{usr/,}bin/cp         rix,
  /{usr/,}bin/date       rix,
  /{usr/,}bin/ln         rix,
@ -62,6 +64,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
  /{usr/,}lib/modules/*/build/tools/objtool/objtool rix,

+  /var/lib/dkms/**/dkms.postbuild rix,
+
  / r,
  /{usr/,}lib/modules/*/updates/ rw,
  /{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw,
@ -106,6 +110,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) {

    /{usr/,}bin/kmod mr,

+    /etc/depmod.d/{,ubuntu.conf} r,
+    /etc/ssl/openssl.cnf r,
+
    @{PROC}/cmdline r,

    /{usr/,}lib/modules/*/modules.* rw,
--- a/apparmor.d/profiles-a-f/dkms-autoinstaller
+++ b/apparmor.d/profiles-a-f/dkms-autoinstaller
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -13,15 +14,13 @@ profile dkms-autoinstaller @{exec_path} {

  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,
-
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/tput       rix,
+  /{usr/,}{s,}bin/dkms   rPx,
  /{usr/,}bin/echo       rix,
-
-  /{usr/,}{s,}bin/dkms      rPx,
-
+  /{usr/,}bin/plymouth   rix,
+  /{usr/,}bin/readlink   rix,
  /{usr/,}bin/run-parts  rCx -> run-parts,
  /{usr/,}bin/systemctl  rPx -> child-systemctl,
+  /{usr/,}bin/tput       rix,

  # For shell pwd
  / r,
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@ -17,14 +17,40 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>

+  capability sys_nice,
+
  signal (send),

+
+ALLOWED fwupdmgr dbus_method_call org.freedesktop.fwupd send bus=system path=/ interface=org.freedesktop.fwupd member=UpdateMetadata peer_label=unconfined
+
+
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/
+      interface=org.freedesktop.fwupd
+      member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata},
+  
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+      interface=org.freedesktop.systemd[0-9].Manager
+      member={GetDefaultTarget,GetUnit},
+
+  dbus receive bus=system path=/
+      interface=org.freedesktop.fwupd
+      member=Changed,
+
  @{exec_path} mr,

  /{usr/,}bin/dbus-launch  rCx -> dbus,
@ -38,6 +64,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
  owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,

  owner @{user_cache_dirs}/ rw,
+        @{user_cache_dirs}/dconf/user rw,
  owner @{user_cache_dirs}/fwupd/ rw,
  owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,

--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -53,10 +54,11 @@ profile mkinitramfs @{exec_path} {
  /{usr/,}bin/xz         rix,
  /{usr/,}bin/zstd       rix,

-  /{usr/,}bin/ldd        rCx -> ldd,
-  /{usr/,}sbin/ldconfig  rCx -> ldconfig,
-  /{usr/,}bin/find       rCx -> find,
-  /{usr/,}bin/kmod       rCx -> kmod,
+  /{usr/,}bin/ldd                  rCx -> ldd,
+  /{usr/,}lib{32,64}/ld-linux.so.2 rCx -> ldd,
+  /{usr/,}sbin/ldconfig            rCx -> ldconfig,
+  /{usr/,}bin/find                 rCx -> find,
+  /{usr/,}bin/kmod                 rCx -> kmod,

  /{usr/,}bin/dpkg          rPx -> child-dpkg,
  /{usr/,}bin/linux-version rPx,
@ -103,7 +105,7 @@ profile mkinitramfs @{exec_path} {
    /{usr/,}lib/initramfs-tools/bin/* mr,

    /{usr/,}lib/@{multiarch}/ld-*.so*  rix,
-    /{usr/,}lib{,x}32/ld-*.so          rix,
+    /{usr/,}lib{,x}32/ld-*.so{,.2}     rix,

  }

--- a/apparmor.d/profiles-m-r/mount-zfs
+++ b/apparmor.d/profiles-m-r/mount-zfs
@ -12,6 +12,7 @@ profile mount-zfs @{exec_path} flags=(complain) {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

+  capability dac_read_search,
  capability sys_admin,  # To mount anything.

  @{exec_path} mr,
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -142,6 +143,7 @@ profile run-parts @{exec_path} {
  profile kernel {
    include <abstractions/base>
    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>

    capability sys_module,

@ -151,7 +153,7 @@ profile run-parts @{exec_path} {
    /{usr/,}bin/chmod      rix,
    /{usr/,}bin/cut        rix,
    /{usr/,}bin/dirname    rix,
-    /{usr/,}bin/gawk       rix,
+    /{usr/,}bin/{,m,g}awk  rix,
    /{usr/,}bin/kmod       rix,
    /{usr/,}bin/mv         rix,
    /{usr/,}bin/rm         rix,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -37,7 +37,7 @@ profile sudo @{exec_path} {

  signal (send) peer=unconfined,
  signal (send) set=(cont,hup) peer=su,
-  signal (send) set=winch peer=apt,
+  signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot},

  dbus send bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
--- a/apparmor.d/profiles-s-z/zfs
+++ b/apparmor.d/profiles-s-z/zfs
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs
 profile zfs @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  
  capability sys_admin,
  capability dac_read_search,
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@ -23,7 +23,8 @@ profile zsysd @{exec_path} flags=(complain) {
  @{exec_path}                   rmix,
  /{usr/,}{local/,}{s,}bin/zfs   rPx,
  /{usr/,}{local/,}{s,}bin/zpool rPx,
-  /{usr/,}{s,}bin/update-grub    rPUx,
+  # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1
+  /{usr/,}{s,}bin/update-grub    rPx,

  /etc/hostid r,
  /etc/zsys.conf r,
@ -35,10 +36,10 @@ profile zsysd @{exec_path} flags=(complain) {
  @{run}/zsys-snapshot.unattended-upgrades rw,
  @{run}/zsysd.sock rw,

-  owner @{PROC}/@{pids}/stat r,
-        @{PROC}/@{pids}/mounts r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/spl/hostid r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/mounts r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/spl/hostid r,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,