From c55f19c4ebd9b115288407bddc16038ac11e6bab Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 12 Dec 2021 21:42:24 +0300 Subject: [PATCH 1/6] bind-utils --- apparmor.d/profiles-a-f/dig | 4 ++++ apparmor.d/profiles-g-l/host | 25 +++++++++++++++++++++++++ apparmor.d/profiles-m-r/nslookup | 25 +++++++++++++++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 apparmor.d/profiles-g-l/host create mode 100644 apparmor.d/profiles-m-r/nslookup diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 7fe72a44..4990930f 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -24,5 +24,9 @@ profile dig @{exec_path} { owner @{HOME}/.digrc r, + /tmp/batch_mode.dig r, + /home/dig/batch_mode.dig r, + /home/dig/tsig.key r, + include if exists } diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host new file mode 100644 index 00000000..220e27d4 --- /dev/null +++ b/apparmor.d/profiles-g-l/host @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{,usr/}bin/host +profile host @{exec_path} { + @{exec_path} r, + include + include + include + + owner @{PROC}/@{pid}/task/@{pid}/comm rw, + + # Ubuntu + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup new file mode 100644 index 00000000..ea0410c5 --- /dev/null +++ b/apparmor.d/profiles-m-r/nslookup @@ -0,0 +1,25 @@ +# vim:syntax=apparmor +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{,usr/}bin/nslookup +profile nslookup @{exec_path} { + @{exec_path} r, + include + include + include + + owner @{PROC}/@{pid}/task/@{pid}/comm rw, + + # Ubuntu + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + include if exists +} From 85b83a6e4040e95142db943f35bd45227eb92320 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 18 Dec 2021 21:50:40 +0000 Subject: [PATCH 2/6] Remove vim header --- apparmor.d/profiles-m-r/nslookup | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index ea0410c5..59563e3b 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -1,4 +1,3 @@ -# vim:syntax=apparmor # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only From 864e09e539fe01e34067820d0c6d12e07eb9c04e Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 18 Dec 2021 21:51:01 +0000 Subject: [PATCH 3/6] Remove vim header --- apparmor.d/profiles-g-l/host | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index 220e27d4..185a0706 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -1,4 +1,3 @@ -# vim:syntax=apparmor # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only From ccabf0ad5eee6cac1156e4986139f5c737dbc95e Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 15 Jan 2022 23:14:32 +0000 Subject: [PATCH 4/6] Update nslookup --- apparmor.d/profiles-m-r/nslookup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup index 59563e3b..71aa765f 100644 --- a/apparmor.d/profiles-m-r/nslookup +++ b/apparmor.d/profiles-m-r/nslookup @@ -7,18 +7,18 @@ include @{exec_path} = /{,usr/}bin/nslookup profile nslookup @{exec_path} { - @{exec_path} r, include include include - owner @{PROC}/@{pid}/task/@{pid}/comm rw, - - # Ubuntu network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, + @{exec_path} r, + + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } From 43c509f28b44ca0d86247417f3c99c41d248c2e6 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 15 Jan 2022 23:22:43 +0000 Subject: [PATCH 5/6] Update host --- apparmor.d/profiles-g-l/host | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index 185a0706..a229b405 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -7,18 +7,18 @@ include @{exec_path} = /{,usr/}bin/host profile host @{exec_path} { - @{exec_path} r, include include include - owner @{PROC}/@{pid}/task/@{pid}/comm rw, - - # Ubuntu network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, + @{exec_path} r, + + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } From 39bd0932d2aff28cd559590cba8bc62c70c51fbf Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 16 Jan 2022 21:59:28 +0000 Subject: [PATCH 6/6] Update dig --- apparmor.d/profiles-a-f/dig | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig index 4990930f..5c93bcc4 100644 --- a/apparmor.d/profiles-a-f/dig +++ b/apparmor.d/profiles-a-f/dig @@ -20,13 +20,13 @@ profile dig @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{HOME}/.digrc r, - + owner @{HOME}/batch_mode.dig r, + owner @{HOME}/tsig.key r, + /tmp/batch_mode.dig r, - /home/dig/batch_mode.dig r, - /home/dig/tsig.key r, + + owner @{PROC}/@{pids}/task/@{tid}/comm rw, include if exists }