From 155ef6bef1aafb60dfaaa25d287bbd835a1c0e44 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 5 Sep 2023 16:42:06 +0100 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/bus/dbus-daemon | 12 +++++++----- .../groups/freedesktop/polkit-agent-helper | 3 ++- apparmor.d/groups/gnome/nautilus | 2 ++ apparmor.d/groups/kde/kioslave5 | 2 +- apparmor.d/groups/systemd/hostnamectl | 15 +++++++++++++++ apparmor.d/groups/systemd/systemd-hostnamed | 1 + .../groups/systemd/systemd-machine-id-setup | 2 +- apparmor.d/groups/systemd/systemd-networkd | 3 ++- apparmor.d/groups/systemd/systemd-oomd | 1 + apparmor.d/groups/systemd/systemd-remount-fs | 4 +++- apparmor.d/groups/systemd/systemd-udevd | 11 ++++++++--- apparmor.d/profiles-a-f/aa-enforce | 2 +- apparmor.d/profiles-a-f/cracklib-packer | 2 ++ apparmor.d/profiles-a-f/fwupd | 19 +++++++------------ apparmor.d/profiles-g-l/hostname | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo | 1 + apparmor.d/profiles-m-r/multipath | 7 +++++-- apparmor.d/profiles-m-r/multipathd | 4 +++- apparmor.d/profiles-s-z/snap | 1 + apparmor.d/profiles-s-z/snap-failure | 5 ++--- apparmor.d/profiles-s-z/snap-update-ns | 11 +++++++---- apparmor.d/profiles-s-z/snapd | 8 +++----- apparmor.d/profiles-s-z/swapon | 3 ++- apparmor.d/profiles-s-z/update-cracklib | 5 ++++- 24 files changed, 83 insertions(+), 43 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index e8aed94d..2ace3c8a 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -21,6 +21,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_resource, + network netlink raw, + + network bluetooth stream, + network bluetooth seqpacket, + signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, signal (receive) set=(term hup kill) peer=dbus-run-session, signal (receive) set=(term hup kill) peer=gdm*, @@ -29,13 +34,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-permission-store, - network netlink raw, - - network bluetooth stream, - network bluetooth seqpacket, - ptrace (read), + unix (send receive accept) type=stream, + @{exec_path} mr, @{bin}/ r, diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index ecd21026..2678100a 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -25,9 +25,10 @@ profile polkit-agent-helper @{exec_path} { network netlink raw, - signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, signal (receive) set=(term, kill) peer=gnome-shell, signal (receive) set=(term, kill) peer=pkexec, + signal (receive) set=(term, kill) peer=pkttyagent, + signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5eab496a..ebc8c64a 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -59,6 +59,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /usr/share/thumbnailers/{,**} r, /usr/share/tracker*/{,**} r, + /etc/fstab r, + /var/cache/fontconfig/ r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5 index 84ad72a6..5f868514 100644 --- a/apparmor.d/groups/kde/kioslave5 +++ b/apparmor.d/groups/kde/kioslave5 @@ -19,9 +19,9 @@ profile kioslave5 @{exec_path} { include include include + include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 7f1bf1dc..fb4bbd20 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -19,6 +19,21 @@ profile hostnamectl @{exec_path} { member=Set*Hostname peer=(name=org.freedesktop.hostname1), + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=org.freedesktop.hostname1), + + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.hostname1 + member=Set*Hostname + peer=(name=org.freedesktop.hostname1), + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.systemd1), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index a3ea5768..573ac094 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -54,6 +54,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/{product_name,product_version,chassis_type} r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, + @{sys}/firmware/acpi/pm_profile r, @{sys}/firmware/dmi/entries/*/raw r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index 328a5a70..80d909a1 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -19,7 +19,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { ptrace (read), - mount /, + mount flags=(rw rslave) -> /, umount /etc/machine-id, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 137c9127..88007715 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -65,7 +65,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { owner @{run}/systemd/netif/.#state* rw, owner @{run}/systemd/netif/leases/{,*} rw, owner @{run}/systemd/netif/links/{,*} rw, - owner @{run}/systemd/netif/lldp/ rw, + owner @{run}/systemd/netif/lldp/{,*} rw, owner @{run}/systemd/netif/state rw, @{run}/udev/data/n@{int} r, @@ -74,6 +74,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/devices/pci[0-9]*/**/ r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, @{PROC}/sys/net/ipv{4,6}/** rw, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index d81c2669..dc3b9ad1 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -33,6 +33,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.pressure r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}0.service/memory.* r, @{PROC}/pressure/{cpu,io,memory} r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index b11fa2d8..5c28ada1 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -30,6 +30,8 @@ profile systemd-remount-fs @{exec_path} { @{run}/mount/utab.@{rand6} rw, @{run}/mount/utab.lock rwk, + @{sys}/devices/virtual/block/dm-@{int}/dm/name r, + @{PROC}/ r, @{PROC}/1/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 308b4788..43fcdf62 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,23 +37,28 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, + @{bin}/*-print-pci-ids rix, @{bin}/cat rix, @{bin}/chgrp rix, @{bin}/chmod rix, @{bin}/cut rix, + @{bin}/dmsetup rPUx, @{bin}/ln rix, @{bin}/logger rix, + @{bin}/lvm rPx, @{bin}/mknod rPx, + @{bin}/multipath rPx, @{bin}/nohup rix, @{bin}/perl rix, @{bin}/readlink rix, + @{bin}/sed rix, @{bin}/setfacl rix, + @{bin}/sg_inq rix, @{bin}/snap rPx, - @{bin}/unshare rix, - @{bin}/lvm rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, + @{bin}/unshare rix, - @{bin}/systemctl rCx -> systemctl, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index 502d56bf..32a25ef1 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -19,7 +19,7 @@ profile aa-enforce @{exec_path} { @{bin}/ r, @{bin}/apparmor_parser rPx, - /usr/share/terminfo/x/xterm-256color r, + /usr/share/terminfo/x/* r, /etc/apparmor/logprof.conf r, /etc/apparmor.d/{,**} rw, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index 9b347c66..95fee423 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -12,5 +12,7 @@ profile cracklib-packer @{exec_path} { @{exec_path} mr, + owner /var/cache/cracklib/{,**} rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a6b12dff..a51ef8c9 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2022 Mikhail Morfikov -# Copyright (C) 2021-2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -30,7 +30,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixUser,RemoveMatch,RequestName} + member={GetConnectionUnixUser,RemoveMatch,RequestName,ReleaseName} peer=(name=org.freedesktop.DBus), dbus send bus=system path=/org/freedesktop/ModemManager1 @@ -54,19 +54,11 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll, - dbus send bus=system path=/ - interface=org.freedesktop.fwupd - member=Changed - peer=(label=fwupdmgr), - dbus send bus=system path=/ interface=org.freedesktop.DBus member=Changed peer=(label=fwupdmgr), - dbus receive bus=system path=/ - interface=org.freedesktop.fwupd, - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member={Changed,GetAll} @@ -77,8 +69,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { member={GetAll,SetHints,GetPlugins,GetRemotes} peer=(name=:*, label=fwupdmgr), - dbus bind bus=system - name=org.freedesktop.fwupd, + dbus (send, receive) bus=system + interface=org.freedesktop.fwupd, + + dbus bind bus=system name=org.freedesktop.fwupd, @{exec_path} mr, @@ -150,6 +144,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /dev/drm_dp_aux@{int} rw, /dev/gpiochip@{int} r, /dev/hidraw@{int} rw, + /dev/ipmi@{int} rwk, /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 814bd0b5..8134a23a 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -14,6 +14,8 @@ profile hostname @{exec_path} { capability sys_admin, + network inet dgram, + # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 428f1945..5d57dcd4 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -32,6 +32,7 @@ profile landscape-sysinfo @{exec_path} { @{run}/utmp rwk, @{sys}/class/thermal/ r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 49d41be3..8b4d259f 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -7,17 +7,20 @@ abi , include @{exec_path} = @{bin}/multipath -profile multipath @{exec_path} { +profile multipath @{exec_path} flags=(attach_disconnected) { include include capability sys_admin, capability sys_resource, + unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + @{exec_path} mr, /etc/multipath.conf r, - /etc/multipath/bindings rwk, + /etc/multipath/ r, + /etc/multipath/* rwk, /etc/systemd/system/ r, @{run}/systemd/system/ r, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index 6c2b77bb..c78d6c8c 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -15,6 +15,7 @@ profile multipathd @{exec_path} { capability net_admin, capability sys_admin, capability sys_nice, + capability sys_rawio, capability sys_resource, network netlink raw, @@ -24,7 +25,8 @@ profile multipathd @{exec_path} { @{exec_path} mr, /etc/multipath.conf r, - /etc/multipath/bindings rwk, + /etc/multipath/ r, + /etc/multipath/* rwk, /etc/systemd/system/ r, @{run}/multipathd.pid rwk, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index d3809fff..193ece95 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -18,6 +18,7 @@ profile snap @{exec_path} { include include + capability dac_read_search, capability sys_admin, unix (send, receive) type=stream peer=(label=apt), diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index 22e0265d..3324f784 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -14,9 +14,8 @@ profile snap-failure @{exec_path} { @{exec_path} mr, - @{bin}/systemctl rPx -> child-systemctl, - - @{lib_dirs}/snapd/snapd rPx, + @{bin}/systemctl rPx -> child-systemctl, + @{lib_dirs}/snapd/snapd rPx -> snapd, /var/lib/snapd/sequence/snapd.json r, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 92349fb1..1954777a 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -18,18 +18,21 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> /snap/**/, - mount -> /usr/**/, + mount -> /boot/, + mount -> /snap/**, + mount -> /tmp/.snap/**, + mount -> /usr/**, mount -> /var/lib/dhcp/, - mount /snap/**/ -> /tmp/.snap/**, - umount /snap/**/, + umount /snap/**, umount /var/lib/dhcp/, @{exec_path} mr, /var/lib/snapd/mount/{,*} r, + / r, /snap/{,**} rw, + /tmp/ r, /tmp/.snap/{,**} rwk, @{run}/snapd/lock/*.lock rwk, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 0dc5a686..1eaaee5b 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -64,7 +64,6 @@ profile snapd @{exec_path} { @{exec_path} mrix, @{bin}/adduser rPx, - @{bin}/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope @{bin}/groupadd rPx, @{bin}/hostnamectl rPx, @{bin}/ssh-keygen rPx, @@ -93,9 +92,9 @@ profile snapd @{exec_path} { @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/@{multiarch}/ld-*.so rix, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, - @{lib_dirs}/snapd/snap-discard-ns rPx, - @{lib_dirs}/snapd/snap-seccomp rPx, - @{lib_dirs}/snapd/snap-update-ns rPx, + @{lib_dirs}/snapd/snap-discard-ns rPx -> snap-discard-ns, + @{lib_dirs}/snapd/snap-seccomp rPx -> snap-seccomp, + @{lib_dirs}/snapd/snap-update-ns rPx -> snap-update-ns, /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, @@ -129,7 +128,6 @@ profile snapd @{exec_path} { /tmp/syscheck-squashfs-[0-9]* rw, /tmp/read-file[0-9]*/{,**} rw, - /boot/ r, /boot/grub/grubenv r, diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/profiles-s-z/swapon index 596e2cc1..acd2d218 100644 --- a/apparmor.d/profiles-s-z/swapon +++ b/apparmor.d/profiles-s-z/swapon @@ -18,8 +18,9 @@ profile swapon @{exec_path} { /etc/fstab r, - owner /swapfile rw, + owner /swap.img rw, owner /swap/swapfile rw, + owner /swapfile rw, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index eab60047..891e0742 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -21,6 +21,7 @@ profile update-cracklib @{exec_path} { @{bin}/find rix, @{bin}/grep rix, @{bin}/gzip rix, + @{bin}/install rix, @{bin}/sort rix, @{bin}/tr rix, @@ -30,7 +31,9 @@ profile update-cracklib @{exec_path} { /etc/magic r, /etc/cracklib/cracklib.conf r, - /var/cache/cracklib/{,**} rw, + owner /var/cache/cracklib/{,**} rw, + + owner /tmp/sort@{rand6} rw, include if exists } \ No newline at end of file