From 14e9fea29a28cd4049ba3542e1d38209ed3e5914 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 23:17:27 +0100 Subject: [PATCH] feat: improve dbus integration for chsh, better handling of generic needrestart. --- .github/local/needrestart | 2 ++ .github/workflows/main.yml | 1 + apparmor.d/profiles-a-f/chsh | 8 +++++++- apparmor.d/profiles-m-r/needrestart | 3 +-- apparmor.d/profiles-s-z/snapd | 1 + 5 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 .github/local/needrestart diff --git a/.github/local/needrestart b/.github/local/needrestart new file mode 100644 index 00000000..33b23e01 --- /dev/null +++ b/.github/local/needrestart @@ -0,0 +1,2 @@ + + /var/lib/waagent/** r, diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c7a76f87..75fa5c05 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -94,6 +94,7 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support + sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart - name: Install apparmor.d run: | diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index e124e4d1..bf2b92a9 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,18 +10,24 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include + include + include include include capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, network netlink raw, + unix type=stream addr=@@{udbus}/bus/chsh/system, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + @{exec_path} mr, /etc/shells r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index cc411ef8..56f95b58 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -26,6 +26,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{bin}/* r, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, @@ -42,8 +43,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, - @{bin}/networkd-dispatcher r, - @{bin}/gettext.sh r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 63a1568b..fe24ed06 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -93,6 +93,7 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, + /usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r,