mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-09-05 16:42:06 +01:00
parent 1fb5475ad1
commit 155ef6bef1
Failed to generate hash of commit
24 changed files with 83 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
apparmor.d/groups/bus/dbus-daemon
View file

@ -21,6 +21,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
capability setuid, capability setuid,
capability sys_resource, capability sys_resource,
network netlink raw,
network bluetooth stream,
network bluetooth seqpacket,
signal (receive) set=(term hup kill) peer=at-spi-bus-launcher, signal (receive) set=(term hup kill) peer=at-spi-bus-launcher,
signal (receive) set=(term hup kill) peer=dbus-run-session, signal (receive) set=(term hup kill) peer=dbus-run-session,
signal (receive) set=(term hup kill) peer=gdm*, signal (receive) set=(term hup kill) peer=gdm*,
@ -29,13 +34,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=dconf-service,
signal (send) set=(term hup kill) peer=xdg-permission-store, signal (send) set=(term hup kill) peer=xdg-permission-store,
network netlink raw,
network bluetooth stream,
network bluetooth seqpacket,
ptrace (read), ptrace (read),
unix (send receive accept) type=stream,
@{exec_path} mr, @{exec_path} mr,
@{bin}/ r, @{bin}/ r,

3
apparmor.d/groups/freedesktop/polkit-agent-helper
View file

@ -25,9 +25,10 @@ profile polkit-agent-helper @{exec_path} {
network netlink raw, network netlink raw,
signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
signal (receive) set=(term, kill) peer=gnome-shell, signal (receive) set=(term, kill) peer=gnome-shell,
signal (receive) set=(term, kill) peer=pkexec, signal (receive) set=(term, kill) peer=pkexec,
signal (receive) set=(term, kill) peer=pkttyagent,
signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties

2
apparmor.d/groups/gnome/nautilus
View file

@ -59,6 +59,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
/usr/share/thumbnailers/{,**} r, /usr/share/thumbnailers/{,**} r,
/usr/share/tracker*/{,**} r, /usr/share/tracker*/{,**} r,
/etc/fstab r,
/var/cache/fontconfig/ r, /var/cache/fontconfig/ r,
/var/lib/snapd/desktop/icons/{,**} r, /var/lib/snapd/desktop/icons/{,**} r,

2
apparmor.d/groups/kde/kioslave5
View file

@ -19,9 +19,9 @@ profile kioslave5 @{exec_path} {
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/qt5> include <abstractions/qt5>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
include <abstractions/trash> include <abstractions/trash>
include <abstractions/vulkan> include <abstractions/vulkan>
include <abstractions/thumbnails-cache-read>
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

15
apparmor.d/groups/systemd/hostnamectl
View file

@ -19,6 +19,21 @@ profile hostnamectl @{exec_path} {
member=Set*Hostname member=Set*Hostname
peer=(name=org.freedesktop.hostname1), peer=(name=org.freedesktop.hostname1),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=org.freedesktop.hostname1),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.hostname1
member=Set*Hostname
peer=(name=org.freedesktop.hostname1),
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.systemd1),
@{exec_path} mr, @{exec_path} mr,
/etc/machine-id r, /etc/machine-id r,

1
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -54,6 +54,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/virtual/dmi/id/{product_name,product_version,chassis_type} r, @{sys}/devices/virtual/dmi/id/{product_name,product_version,chassis_type} r,
@{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/sys_vendor r,
@{sys}/devices/virtual/dmi/id/uevent r, @{sys}/devices/virtual/dmi/id/uevent r,
@{sys}/firmware/acpi/pm_profile r,
@{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/dmi/entries/*/raw r,
include if exists <local/systemd-hostnamed> include if exists <local/systemd-hostnamed>

2
apparmor.d/groups/systemd/systemd-machine-id-setup
View file

@ -19,7 +19,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
ptrace (read), ptrace (read),
mount /, mount flags=(rw rslave) -> /,
umount /etc/machine-id, umount /etc/machine-id,
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/systemd/systemd-networkd
View file

@ -65,7 +65,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
owner @{run}/systemd/netif/.#state* rw, owner @{run}/systemd/netif/.#state* rw,
owner @{run}/systemd/netif/leases/{,*} rw, owner @{run}/systemd/netif/leases/{,*} rw,
owner @{run}/systemd/netif/links/{,*} rw, owner @{run}/systemd/netif/links/{,*} rw,
owner @{run}/systemd/netif/lldp/ rw, owner @{run}/systemd/netif/lldp/{,*} rw,
owner @{run}/systemd/netif/state rw, owner @{run}/systemd/netif/state rw,
@{run}/udev/data/n@{int} r, @{run}/udev/data/n@{int} r,
@ -74,6 +74,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
@{sys}/devices/pci[0-9]*/**/ r, @{sys}/devices/pci[0-9]*/**/ r,
@{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
@{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_name r,
@{sys}/devices/virtual/dmi/id/product_version r,
@{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/net/ipv{4,6}/** rw,

1
apparmor.d/groups/systemd/systemd-oomd
View file

@ -33,6 +33,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
@{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/memory.pressure r, @{sys}/fs/cgroup/memory.pressure r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}0.service/memory.* r,
@{PROC}/pressure/{cpu,io,memory} r, @{PROC}/pressure/{cpu,io,memory} r,

4
apparmor.d/groups/systemd/systemd-remount-fs
View file

@ -1,5 +1,5 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -30,6 +30,8 @@ profile systemd-remount-fs @{exec_path} {
@{run}/mount/utab.@{rand6} rw, @{run}/mount/utab.@{rand6} rw,
@{run}/mount/utab.lock rwk, @{run}/mount/utab.lock rwk,
@{sys}/devices/virtual/block/dm-@{int}/dm/name r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/1/cmdline r, @{PROC}/1/cmdline r,

11
apparmor.d/groups/systemd/systemd-udevd
View file

@ -37,23 +37,28 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
@{bin}/{,ba,da}sh rix, @{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
@{bin}/*-print-pci-ids rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/chgrp rix, @{bin}/chgrp rix,
@{bin}/chmod rix, @{bin}/chmod rix,
@{bin}/cut rix, @{bin}/cut rix,
@{bin}/dmsetup rPUx,
@{bin}/ln rix, @{bin}/ln rix,
@{bin}/logger rix, @{bin}/logger rix,
@{bin}/lvm rPx,
@{bin}/mknod rPx, @{bin}/mknod rPx,
@{bin}/multipath rPx,
@{bin}/nohup rix, @{bin}/nohup rix,
@{bin}/perl rix, @{bin}/perl rix,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/sed rix,
@{bin}/setfacl rix, @{bin}/setfacl rix,
@{bin}/sg_inq rix,
@{bin}/snap rPx, @{bin}/snap rPx,
@{bin}/unshare rix, @{bin}/systemctl rCx -> systemctl,
@{bin}/lvm rPx,
@{bin}/touch rix, @{bin}/touch rix,
@{bin}/unshare rix,
@{bin}/systemctl rCx -> systemctl,
@{lib}/crda/* rPUx, @{lib}/crda/* rPUx,
@{lib}/gdm-runtime-config rPx, @{lib}/gdm-runtime-config rPx,
@{lib}/nfsrahead rPUx, @{lib}/nfsrahead rPUx,

2
apparmor.d/profiles-a-f/aa-enforce
View file

@ -19,7 +19,7 @@ profile aa-enforce @{exec_path} {
@{bin}/ r, @{bin}/ r,
@{bin}/apparmor_parser rPx, @{bin}/apparmor_parser rPx,
/usr/share/terminfo/x/xterm-256color r, /usr/share/terminfo/x/* r,
/etc/apparmor/logprof.conf r, /etc/apparmor/logprof.conf r,
/etc/apparmor.d/{,**} rw, /etc/apparmor.d/{,**} rw,

2
apparmor.d/profiles-a-f/cracklib-packer
View file

@ -12,5 +12,7 @@ profile cracklib-packer @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
owner /var/cache/cracklib/{,**} rw,
include if exists <local/cracklib-packer> include if exists <local/cracklib-packer>
} }

19
apparmor.d/profiles-a-f/fwupd
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2022 Mikhail Morfikov # Copyright (C) 2020-2022 Mikhail Morfikov
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -30,7 +30,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
dbus send bus=system path=/org/freedesktop/DBus dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member={GetConnectionUnixUser,RemoveMatch,RequestName} member={GetConnectionUnixUser,RemoveMatch,RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus), peer=(name=org.freedesktop.DBus),
dbus send bus=system path=/org/freedesktop/ModemManager1 dbus send bus=system path=/org/freedesktop/ModemManager1
@ -54,19 +54,11 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=GetAll, member=GetAll,
dbus send bus=system path=/
interface=org.freedesktop.fwupd
member=Changed
peer=(label=fwupdmgr),
dbus send bus=system path=/ dbus send bus=system path=/
interface=org.freedesktop.DBus interface=org.freedesktop.DBus
member=Changed member=Changed
peer=(label=fwupdmgr), peer=(label=fwupdmgr),
dbus receive bus=system path=/
interface=org.freedesktop.fwupd,
dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member={Changed,GetAll} member={Changed,GetAll}
@ -77,8 +69,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
member={GetAll,SetHints,GetPlugins,GetRemotes} member={GetAll,SetHints,GetPlugins,GetRemotes}
peer=(name=:*, label=fwupdmgr), peer=(name=:*, label=fwupdmgr),
dbus bind bus=system dbus (send, receive) bus=system
name=org.freedesktop.fwupd, interface=org.freedesktop.fwupd,
dbus bind bus=system name=org.freedesktop.fwupd,
@{exec_path} mr, @{exec_path} mr,
@ -150,6 +144,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
/dev/drm_dp_aux@{int} rw, /dev/drm_dp_aux@{int} rw,
/dev/gpiochip@{int} r, /dev/gpiochip@{int} r,
/dev/hidraw@{int} rw, /dev/hidraw@{int} rw,
/dev/ipmi@{int} rwk,
/dev/mei@{int} rw, /dev/mei@{int} rw,
/dev/mem r, /dev/mem r,
/dev/mtd@{int} rw, /dev/mtd@{int} rw,

2
apparmor.d/profiles-g-l/hostname
View file

@ -14,6 +14,8 @@ profile hostname @{exec_path} {
capability sys_admin, capability sys_admin,
network inet dgram,
# network ip=127.0.0.1:53, TODO: abi 4.0
network netlink raw, network netlink raw,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/profiles-g-l/landscape-sysinfo
View file

@ -32,6 +32,7 @@ profile landscape-sysinfo @{exec_path} {
@{run}/utmp rwk, @{run}/utmp rwk,
@{sys}/class/thermal/ r, @{sys}/class/thermal/ r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,

7
apparmor.d/profiles-m-r/multipath
View file

@ -7,17 +7,20 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/multipath @{exec_path} = @{bin}/multipath
profile multipath @{exec_path} { profile multipath @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>
capability sys_admin, capability sys_admin,
capability sys_resource, capability sys_resource,
unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"),
@{exec_path} mr, @{exec_path} mr,
/etc/multipath.conf r, /etc/multipath.conf r,
/etc/multipath/bindings rwk, /etc/multipath/ r,
/etc/multipath/* rwk,
/etc/systemd/system/ r, /etc/systemd/system/ r,
@{run}/systemd/system/ r, @{run}/systemd/system/ r,

4
apparmor.d/profiles-m-r/multipathd
View file

@ -15,6 +15,7 @@ profile multipathd @{exec_path} {
capability net_admin, capability net_admin,
capability sys_admin, capability sys_admin,
capability sys_nice, capability sys_nice,
capability sys_rawio,
capability sys_resource, capability sys_resource,
network netlink raw, network netlink raw,
@ -24,7 +25,8 @@ profile multipathd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/multipath.conf r, /etc/multipath.conf r,
/etc/multipath/bindings rwk, /etc/multipath/ r,
/etc/multipath/* rwk,
/etc/systemd/system/ r, /etc/systemd/system/ r,
@{run}/multipathd.pid rwk, @{run}/multipathd.pid rwk,

1
apparmor.d/profiles-s-z/snap
View file

@ -18,6 +18,7 @@ profile snap @{exec_path} {
include <abstractions/disks-read> include <abstractions/disks-read>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search,
capability sys_admin, capability sys_admin,
unix (send, receive) type=stream peer=(label=apt), unix (send, receive) type=stream peer=(label=apt),

5
apparmor.d/profiles-s-z/snap-failure
View file

@ -14,9 +14,8 @@ profile snap-failure @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/systemctl rPx -> child-systemctl, @{bin}/systemctl rPx -> child-systemctl,
@{lib_dirs}/snapd/snapd rPx -> snapd,
@{lib_dirs}/snapd/snapd rPx,
/var/lib/snapd/sequence/snapd.json r, /var/lib/snapd/sequence/snapd.json r,

11
apparmor.d/profiles-s-z/snap-update-ns
View file

@ -18,18 +18,21 @@ profile snap-update-ns @{exec_path} {
network netlink raw, network netlink raw,
mount -> /snap/**/, mount -> /boot/,
mount -> /usr/**/, mount -> /snap/**,
mount -> /tmp/.snap/**,
mount -> /usr/**,
mount -> /var/lib/dhcp/, mount -> /var/lib/dhcp/,
mount /snap/**/ -> /tmp/.snap/**, umount /snap/**,
umount /snap/**/,
umount /var/lib/dhcp/, umount /var/lib/dhcp/,
@{exec_path} mr, @{exec_path} mr,
/var/lib/snapd/mount/{,*} r, /var/lib/snapd/mount/{,*} r,
/ r,
/snap/{,**} rw, /snap/{,**} rw,
/tmp/ r,
/tmp/.snap/{,**} rwk, /tmp/.snap/{,**} rwk,
@{run}/snapd/lock/*.lock rwk, @{run}/snapd/lock/*.lock rwk,

8
apparmor.d/profiles-s-z/snapd
View file

@ -64,7 +64,6 @@ profile snapd @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/adduser rPx, @{bin}/adduser rPx,
@{bin}/cloud-init rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
@{bin}/groupadd rPx, @{bin}/groupadd rPx,
@{bin}/hostnamectl rPx, @{bin}/hostnamectl rPx,
@{bin}/ssh-keygen rPx, @{bin}/ssh-keygen rPx,
@ -93,9 +92,9 @@ profile snapd @{exec_path} {
@{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/@{multiarch}/** mr,
@{lib_dirs}/@{multiarch}/ld-*.so rix, @{lib_dirs}/@{multiarch}/ld-*.so rix,
@{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser,
@{lib_dirs}/snapd/snap-discard-ns rPx, @{lib_dirs}/snapd/snap-discard-ns rPx -> snap-discard-ns,
@{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snap-seccomp rPx -> snap-seccomp,
@{lib_dirs}/snapd/snap-update-ns rPx, @{lib_dirs}/snapd/snap-update-ns rPx -> snap-update-ns,
/usr/share/bash-completion/{,**} r, /usr/share/bash-completion/{,**} r,
/usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
@ -129,7 +128,6 @@ profile snapd @{exec_path} {
/tmp/syscheck-squashfs-[0-9]* rw, /tmp/syscheck-squashfs-[0-9]* rw,
/tmp/read-file[0-9]*/{,**} rw, /tmp/read-file[0-9]*/{,**} rw,
/boot/ r, /boot/ r,
/boot/grub/grubenv r, /boot/grub/grubenv r,

3
apparmor.d/profiles-s-z/swapon
View file

@ -18,8 +18,9 @@ profile swapon @{exec_path} {
/etc/fstab r, /etc/fstab r,
owner /swapfile rw, owner /swap.img rw,
owner /swap/swapfile rw, owner /swap/swapfile rw,
owner /swapfile rw,
@{PROC}/swaps r, @{PROC}/swaps r,

5
apparmor.d/profiles-s-z/update-cracklib
View file

@ -21,6 +21,7 @@ profile update-cracklib @{exec_path} {
@{bin}/find rix, @{bin}/find rix,
@{bin}/grep rix, @{bin}/grep rix,
@{bin}/gzip rix, @{bin}/gzip rix,
@{bin}/install rix,
@{bin}/sort rix, @{bin}/sort rix,
@{bin}/tr rix, @{bin}/tr rix,
@ -30,7 +31,9 @@ profile update-cracklib @{exec_path} {
/etc/magic r, /etc/magic r,
/etc/cracklib/cracklib.conf r, /etc/cracklib/cracklib.conf r,
/var/cache/cracklib/{,**} rw, owner /var/cache/cracklib/{,**} rw,
owner /tmp/sort@{rand6} rw,
include if exists <local/update-cracklib> include if exists <local/update-cracklib>
} }