feat(profiles): general update.

2025-01-18 08:58:15 +01:00 · 2023-09-05 16:42:06 +01:00 · 2023-09-05 16:42:06 +01:00 · 155ef6bef1
commit 155ef6bef1
parent 1fb5475ad1
24 changed files with 83 additions and 43 deletions
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -21,6 +21,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  capability setuid,
  capability sys_resource,

+  network netlink raw,
+
+  network bluetooth stream,
+  network bluetooth seqpacket,
+
  signal (receive) set=(term hup kill) peer=at-spi-bus-launcher,
  signal (receive) set=(term hup kill) peer=dbus-run-session,
  signal (receive) set=(term hup kill) peer=gdm*,
@ -29,13 +34,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  signal (send)    set=(term hup kill) peer=dconf-service,
  signal (send)    set=(term hup kill) peer=xdg-permission-store,

-  network netlink raw,
-
-  network bluetooth stream,
-  network bluetooth seqpacket,
-
  ptrace (read),

+  unix (send receive accept) type=stream,
+
  @{exec_path} mr,

  @{bin}/ r,
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -25,9 +25,10 @@ profile polkit-agent-helper @{exec_path} {

  network netlink raw,

-  signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
  signal (receive) set=(term, kill) peer=gnome-shell,
  signal (receive) set=(term, kill) peer=pkexec,
+  signal (receive) set=(term, kill) peer=pkttyagent,
+  signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,

  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -59,6 +59,8 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  /usr/share/thumbnailers/{,**} r,
  /usr/share/tracker*/{,**} r,

+  /etc/fstab r,
+
  /var/cache/fontconfig/ r,
  /var/lib/snapd/desktop/icons/{,**} r,

--- a/apparmor.d/groups/kde/kioslave5
+++ b/apparmor.d/groups/kde/kioslave5
@ -19,9 +19,9 @@ profile kioslave5 @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/qt5>
  include <abstractions/ssl_certs>
+  include <abstractions/thumbnails-cache-read>
  include <abstractions/trash>
  include <abstractions/vulkan>
-  include <abstractions/thumbnails-cache-read>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@ -19,6 +19,21 @@ profile hostnamectl @{exec_path} {
       member=Set*Hostname
       peer=(name=org.freedesktop.hostname1),

+  dbus send bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name=org.freedesktop.hostname1),
+
+  dbus send bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=Set*Hostname
+       peer=(name=org.freedesktop.hostname1),
+
+  dbus send bus=system path=/org/freedesktop/systemd1
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll 
+       peer=(name=org.freedesktop.systemd1),
+
  @{exec_path} mr,

  /etc/machine-id r,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -54,6 +54,7 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
  @{sys}/devices/virtual/dmi/id/{product_name,product_version,chassis_type} r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/dmi/id/uevent r,
+  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/firmware/dmi/entries/*/raw r,

  include if exists <local/systemd-hostnamed>
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@ -19,7 +19,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {

  ptrace (read),

-  mount /,
+  mount flags=(rw rslave) -> /,
  umount /etc/machine-id,

  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -65,7 +65,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
  owner @{run}/systemd/netif/.#state* rw,
  owner @{run}/systemd/netif/leases/{,*} rw,
  owner @{run}/systemd/netif/links/{,*} rw,
-  owner @{run}/systemd/netif/lldp/ rw,
+  owner @{run}/systemd/netif/lldp/{,*} rw,
  owner @{run}/systemd/netif/state rw,

  @{run}/udev/data/n@{int} r,
@ -74,6 +74,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/devices/pci[0-9]*/**/ r,
  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,

  @{PROC}/sys/net/ipv{4,6}/** rw,

--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -33,6 +33,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {

  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/memory.pressure r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}0.service/memory.* r,

  @{PROC}/pressure/{cpu,io,memory} r,

--- a/apparmor.d/groups/systemd/systemd-remount-fs
+++ b/apparmor.d/groups/systemd/systemd-remount-fs
@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -30,6 +30,8 @@ profile systemd-remount-fs @{exec_path} {
  @{run}/mount/utab.@{rand6} rw,
  @{run}/mount/utab.lock rwk,

+  @{sys}/devices/virtual/block/dm-@{int}/dm/name r,
+
  @{PROC}/ r,
  @{PROC}/1/cmdline r,

--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -37,23 +37,28 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {

  @{bin}/{,ba,da}sh        rix,
  @{bin}/{,e}grep          rix,
+  @{bin}/*-print-pci-ids   rix,
  @{bin}/cat               rix,
  @{bin}/chgrp             rix,
  @{bin}/chmod             rix,
  @{bin}/cut               rix,
+  @{bin}/dmsetup          rPUx,
  @{bin}/ln                rix,
  @{bin}/logger            rix,
+  @{bin}/lvm               rPx,
  @{bin}/mknod             rPx,
+  @{bin}/multipath         rPx,
  @{bin}/nohup             rix,
  @{bin}/perl              rix,
  @{bin}/readlink          rix,
+  @{bin}/sed               rix,
  @{bin}/setfacl           rix,
+  @{bin}/sg_inq            rix,
  @{bin}/snap              rPx,
-  @{bin}/unshare           rix,
-  @{bin}/lvm               rPx,
+  @{bin}/systemctl         rCx -> systemctl,
  @{bin}/touch             rix,
+  @{bin}/unshare           rix,

-  @{bin}/systemctl rCx -> systemctl,
  @{lib}/crda/*                           rPUx,
  @{lib}/gdm-runtime-config               rPx,
  @{lib}/nfsrahead                        rPUx,
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@ -19,7 +19,7 @@ profile aa-enforce @{exec_path} {
  @{bin}/ r,
  @{bin}/apparmor_parser     rPx,

-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/x/* r,

  /etc/apparmor/logprof.conf r,
  /etc/apparmor.d/{,**} rw,
--- a/apparmor.d/profiles-a-f/cracklib-packer
+++ b/apparmor.d/profiles-a-f/cracklib-packer
@ -12,5 +12,7 @@ profile cracklib-packer @{exec_path} {

  @{exec_path} mr,

+  owner /var/cache/cracklib/{,**} rw,
+
  include if exists <local/cracklib-packer>
 }
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2022 Mikhail Morfikov
-# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -30,7 +30,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
-       member={GetConnectionUnixUser,RemoveMatch,RequestName}
+       member={GetConnectionUnixUser,RemoveMatch,RequestName,ReleaseName}
       peer=(name=org.freedesktop.DBus),

  dbus send bus=system path=/org/freedesktop/ModemManager1
@ -54,19 +54,11 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
       interface=org.freedesktop.DBus.Properties
       member=GetAll,

-  dbus send bus=system path=/
-       interface=org.freedesktop.fwupd
-       member=Changed
-       peer=(label=fwupdmgr),
-
  dbus send bus=system path=/
       interface=org.freedesktop.DBus
       member=Changed
       peer=(label=fwupdmgr),

-  dbus receive bus=system path=/
-       interface=org.freedesktop.fwupd,
-
  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.DBus.Properties
       member={Changed,GetAll}
@ -77,8 +69,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
       member={GetAll,SetHints,GetPlugins,GetRemotes}
       peer=(name=:*, label=fwupdmgr),

-  dbus bind bus=system
-       name=org.freedesktop.fwupd,
+  dbus (send, receive) bus=system
+       interface=org.freedesktop.fwupd,
+
+  dbus bind bus=system name=org.freedesktop.fwupd,

  @{exec_path} mr,

@ -150,6 +144,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  /dev/drm_dp_aux@{int} rw,
  /dev/gpiochip@{int} r,
  /dev/hidraw@{int} rw,
+  /dev/ipmi@{int} rwk,
  /dev/mei@{int} rw,
  /dev/mem r,
  /dev/mtd@{int} rw,
--- a/apparmor.d/profiles-g-l/hostname
+++ b/apparmor.d/profiles-g-l/hostname
@ -14,6 +14,8 @@ profile hostname @{exec_path} {

  capability sys_admin,

+  network inet dgram,
+  # network ip=127.0.0.1:53, TODO: abi 4.0
  network netlink raw,

  @{exec_path} mr,
--- a/apparmor.d/profiles-g-l/landscape-sysinfo
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo
@ -32,6 +32,7 @@ profile landscape-sysinfo @{exec_path} {
  @{run}/utmp rwk,

  @{sys}/class/thermal/ r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,

        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline r,
--- a/apparmor.d/profiles-m-r/multipath
+++ b/apparmor.d/profiles-m-r/multipath
@ -7,17 +7,20 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/multipath
-profile multipath @{exec_path} {
+profile multipath @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/disks-write>

  capability sys_admin,
  capability sys_resource,

+  unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"),
+
  @{exec_path} mr,

  /etc/multipath.conf r,
-  /etc/multipath/bindings rwk,
+  /etc/multipath/ r,
+  /etc/multipath/* rwk,
  /etc/systemd/system/ r,

  @{run}/systemd/system/ r,
--- a/apparmor.d/profiles-m-r/multipathd
+++ b/apparmor.d/profiles-m-r/multipathd
@ -15,6 +15,7 @@ profile multipathd @{exec_path} {
  capability net_admin,
  capability sys_admin,
  capability sys_nice,
+  capability sys_rawio,
  capability sys_resource,

  network netlink raw,
@ -24,7 +25,8 @@ profile multipathd @{exec_path} {
  @{exec_path} mr,

  /etc/multipath.conf r,
-  /etc/multipath/bindings rwk,
+  /etc/multipath/ r,
+  /etc/multipath/* rwk,
  /etc/systemd/system/ r,

  @{run}/multipathd.pid rwk,
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -18,6 +18,7 @@ profile snap @{exec_path} {
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>

+  capability dac_read_search,
  capability sys_admin,

  unix (send, receive) type=stream peer=(label=apt),
--- a/apparmor.d/profiles-s-z/snap-failure
+++ b/apparmor.d/profiles-s-z/snap-failure
@ -14,9 +14,8 @@ profile snap-failure @{exec_path} {

  @{exec_path} mr,

-  @{bin}/systemctl rPx -> child-systemctl,
-
-  @{lib_dirs}/snapd/snapd rPx,
+  @{bin}/systemctl         rPx -> child-systemctl,
+  @{lib_dirs}/snapd/snapd  rPx -> snapd,

  /var/lib/snapd/sequence/snapd.json r,

--- a/apparmor.d/profiles-s-z/snap-update-ns
+++ b/apparmor.d/profiles-s-z/snap-update-ns
@ -18,18 +18,21 @@ profile snap-update-ns @{exec_path} {

  network netlink raw,

-  mount -> /snap/**/,
-  mount -> /usr/**/,
+  mount -> /boot/,
+  mount -> /snap/**,
+  mount -> /tmp/.snap/**,
+  mount -> /usr/**,
  mount -> /var/lib/dhcp/,
-  mount /snap/**/ -> /tmp/.snap/**,
-  umount /snap/**/,
+  umount /snap/**,
  umount /var/lib/dhcp/,

  @{exec_path} mr,

  /var/lib/snapd/mount/{,*} r,

+  / r,
  /snap/{,**} rw,
+  /tmp/ r,
  /tmp/.snap/{,**} rwk,

  @{run}/snapd/lock/*.lock rwk,
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -64,7 +64,6 @@ profile snapd @{exec_path} {
  @{exec_path} mrix,

  @{bin}/adduser                  rPx,
-  @{bin}/cloud-init              rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
  @{bin}/groupadd                 rPx,
  @{bin}/hostnamectl              rPx,
  @{bin}/ssh-keygen               rPx,
@ -93,9 +92,9 @@ profile snapd @{exec_path} {
  @{lib_dirs}/@{multiarch}/**         mr,
  @{lib_dirs}/@{multiarch}/ld-*.so   rix,
  @{lib_dirs}/snapd/apparmor_parser  rPx -> apparmor_parser,
-  @{lib_dirs}/snapd/snap-discard-ns  rPx,
-  @{lib_dirs}/snapd/snap-seccomp     rPx,
-  @{lib_dirs}/snapd/snap-update-ns   rPx,
+  @{lib_dirs}/snapd/snap-discard-ns  rPx -> snap-discard-ns,
+  @{lib_dirs}/snapd/snap-seccomp     rPx -> snap-seccomp,
+  @{lib_dirs}/snapd/snap-update-ns   rPx -> snap-update-ns,

  /usr/share/bash-completion/{,**} r,
  /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
@ -129,7 +128,6 @@ profile snapd @{exec_path} {
  /tmp/syscheck-squashfs-[0-9]* rw,
  /tmp/read-file[0-9]*/{,**} rw,

-
  /boot/ r,
  /boot/grub/grubenv r, 

--- a/apparmor.d/profiles-s-z/swapon
+++ b/apparmor.d/profiles-s-z/swapon
@ -18,8 +18,9 @@ profile swapon @{exec_path} {

  /etc/fstab r,

-  owner /swapfile rw,
+  owner /swap.img rw,
  owner /swap/swapfile rw,
+  owner /swapfile rw,

  @{PROC}/swaps r,

--- a/apparmor.d/profiles-s-z/update-cracklib
+++ b/apparmor.d/profiles-s-z/update-cracklib
@ -21,6 +21,7 @@ profile update-cracklib @{exec_path} {
  @{bin}/find                 rix,
  @{bin}/grep                 rix,
  @{bin}/gzip                 rix,
+  @{bin}/install              rix,
  @{bin}/sort                 rix,
  @{bin}/tr                   rix,

@ -30,7 +31,9 @@ profile update-cracklib @{exec_path} {
  /etc/magic r,
  /etc/cracklib/cracklib.conf r,

-  /var/cache/cracklib/{,**} rw,
+  owner /var/cache/cracklib/{,**} rw,
+
+  owner /tmp/sort@{rand6} rw,

  include if exists <local/update-cracklib>
 }