mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profiles): grub update.

Browse Source
This commit is contained in:
Alexandre Pujol 2022-11-03 21:42:16 +00:00
parent a90cdbe879
commit 157e2a5df6
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
33 changed files with 166 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apparmor.d/groups/grub/grub-bios-setup
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-bios-setup
profile grub-bios-setup @{exec_path} flags=(complain) {
profile grub-bios-setup @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

24
apparmor.d/groups/grub/grub-check-signatures Normal file
View File

@ -0,0 +1,24 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/grub/grub-check-signatures
profile grub-check-signatures @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin//mktemp rix,
/{usr/,}bin//od rix,
owner /tmp/tmp.*/ rw,
include if exists <local/grub-check-signatures>
}

2
apparmor.d/groups/grub/grub-editenv
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-editenv
profile grub-editenv @{exec_path} flags=(complain) {
profile grub-editenv @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-file
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-file
profile grub-file @{exec_path} flags=(complain) {
profile grub-file @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-fstest
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-fstest
profile grub-fstest @{exec_path} flags=(complain) {
profile grub-fstest @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-glue-efi
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-glue-efi
profile grub-glue-efi @{exec_path} flags=(complain) {
profile grub-glue-efi @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

22
apparmor.d/groups/grub/grub-install
View File

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
@ -10,9 +11,30 @@ include <tunables/global>
profile grub-install @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
@{exec_path} mr,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/udevadm rPx,
/etc/default/grub.d/{,**} r,
/boot/efi/EFI/BOOT/{,**} rw,
/boot/grub/{,**} rw,
@{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
@{sys}/firmware/efi/w_platform_size r,
@{PROC}/devices r,
owner @{PROC}/@{pid}/mountinfo r,
/dev/mapper/control rw,
include if exists <local/grub-install>
}

2
apparmor.d/groups/grub/grub-kbdcomp
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-kbdcomp
profile grub-kbdcomp @{exec_path} flags=(complain) {
profile grub-kbdcomp @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-macbless
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-macbless
profile grub-macbless @{exec_path} flags=(complain) {
profile grub-macbless @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-menulst2cfg
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-menulst2cfg
profile grub-menulst2cfg @{exec_path} flags=(complain) {
profile grub-menulst2cfg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mkconfig
View File

@ -8,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkconfig
profile grub-mkconfig @{exec_path} flags=(complain) {
profile grub-mkconfig @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mkdevicemap
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkdevicemap
profile grub-mkdevicemap @{exec_path} flags=(complain) {
profile grub-mkdevicemap @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mkfont
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkfont
profile grub-mkfont @{exec_path} flags=(complain) {
profile grub-mkfont @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mkimage
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkimage
profile grub-mkimage @{exec_path} flags=(complain) {
profile grub-mkimage @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mklayout
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mklayout
profile grub-mklayout @{exec_path} flags=(complain) {
profile grub-mklayout @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mknetdir
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mknetdir
profile grub-mknetdir @{exec_path} flags=(complain) {
profile grub-mknetdir @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkpasswd-pbkdf2
profile grub-mkpasswd-pbkdf2 @{exec_path} flags=(complain) {
profile grub-mkpasswd-pbkdf2 @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mkrelpath
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkrelpath
profile grub-mkrelpath @{exec_path} flags=(complain) {
profile grub-mkrelpath @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mkrescue
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkrescue
profile grub-mkrescue @{exec_path} flags=(complain) {
profile grub-mkrescue @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mkstandalone
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkstandalone
profile grub-mkstandalone @{exec_path} flags=(complain) {
profile grub-mkstandalone @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-mount
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mount
profile grub-mount @{exec_path} flags=(complain) {
profile grub-mount @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

36
apparmor.d/groups/grub/grub-multi-install Normal file
View File

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/grub/grub-multi-install
profile grub-multi-install @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}{s,}bin/grub-install rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/dpkg-query rpx,
/{usr/,}bin/readlink rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/udevadm rPx,
/{usr/,}bin/touch rix,
/usr/lib/terminfo/x/xterm-256color r,
/boot/grub/grub.cfg rw,
@{PROC}/filesystems r,
owner @{PROC}/@{pid}/maps r,
owner @{PROC}/@{pid}/mounts r,
include if exists <local/grub-multi-install>
}

2
apparmor.d/groups/grub/grub-ntldr-img
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-ntldr-img
profile grub-ntldr-img @{exec_path} flags=(complain) {
profile grub-ntldr-img @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

20
apparmor.d/groups/grub/grub-probe
View File

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
@ -7,7 +8,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-probe
profile grub-probe @{exec_path} flags=(complain) {
profile grub-probe @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
@ -15,14 +16,29 @@ profile grub-probe @{exec_path} flags=(complain) {
capability sys_admin,
@{exec_path} mr,
/{usr/,}{local/,}{s,}bin/zpool rPx,
/{usr/,}{s,}bin/lvm rPx,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/udevadm rPx,
/{usr/,}{local/,}{s,}bin/zpool rPx,
/ r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/devices r,
/dev/*vg*/ r,
/dev/bsg/ r,
/dev/cpu/ r,
/dev/cpu/[0-9]*/ r,
/dev/dri/ r,
/dev/dri/by-path/ r,
/dev/hugepages/ r,
/dev/mapper/control rw,
/dev/mqueue/ r,
/dev/shm/ r,
/dev/snd/ r,
/dev/snd/by-path/ r,
include if exists <local/grub-probe>
}

2
apparmor.d/groups/grub/grub-reboot
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-reboot
profile grub-reboot @{exec_path} flags=(complain) {
profile grub-reboot @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-render-label
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-render-label
profile grub-render-label @{exec_path} flags=(complain) {
profile grub-render-label @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-script-check
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-script-check
profile grub-script-check @{exec_path} flags=(complain) {
profile grub-script-check @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-set-default
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-set-default
profile grub-set-default @{exec_path} flags=(complain) {
profile grub-set-default @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/grub-syslinux2cfg
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-syslinux2cfg
profile grub-syslinux2cfg @{exec_path} flags=(complain) {
profile grub-syslinux2cfg @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/grub/update-grub
View File

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
profile update-grub @{exec_path} flags=(complain) {
profile update-grub @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/profiles-a-f/frontend
View File

@ -33,6 +33,10 @@ profile frontend @{exec_path} flags=(complain) {
/{usr/,}lib/tasksel/tasksel-debconf rPx -> tasksel,
/usr/share/debian-security-support/check-support-status.hook rPx,
# Grub
/{usr/,}lib/grub/grub-multi-install rPx,
/usr/share/grub/grub-check-signatures rPx,
# Run the package maintainer's scripts
# What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
#/var/lib/dpkg/info/*.{config,templates} rPUx,

9
apparmor.d/profiles-s-z/update-secureboot-policy
View File

@ -1,4 +1,5 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
@ -7,11 +8,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{,s}bin/update-secureboot-policy
profile update-secureboot-policy @{exec_path} flags=(complain) {
profile update-secureboot-policy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rm,
/usr/share/debconf/frontend rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dpkg-trigger rPx,
/usr/share/debconf/frontend rPx,
include if exists <local/update-secureboot-policy>
}

29
dists/flags/main.flags
View File

@ -81,6 +81,33 @@ gnome-system-monitor attach_disconnected,complain
gnome-terminal-server complain
gnome-tweaks complain
gpg complain
grub-bios-setup complain
grub-editenv complain
grub-file complain
grub-fstest complain
grub-glue-efi complain
grub-kbdcomp complain
grub-macbless complain
grub-menulst2cfg complain
grub-mkconfig complain
grub-mkdevicemap complain
grub-mkfont complain
grub-mkimage complain
grub-mklayout complain
grub-mknetdir complain
grub-mkpasswd-pbkdf2 complain
grub-mkrelpath complain
grub-mkrescue complain
grub-mkstandalone complain
grub-mount complain
grub-multi-install complain
grub-ntldr-img complain
grub-probe complain
grub-reboot complain
grub-render-label complain
grub-script-check complain
grub-set-default complain
grub-syslinux2cfg complain
gsd-media-keys attach_disconnected,complain
gsd-print-notifications attach_disconnected,complain
gsd-printer attach_disconnected,complain
@ -213,6 +240,8 @@ udisksctl complain
udisksd attach_disconnected,complain
umount complain
umount.udisks2 complain
update-grub complain
update-secureboot-policy complain
uptimed complain
userdbctl complain
virt-manager attach_disconnected,complain