feat(profile): general update.

2025-02-20 08:55:34 +01:00 · 2024-05-11 17:38:43 +01:00 · 2024-05-11 17:38:43 +01:00 · 1739c07ca1
commit 1739c07ca1
parent 533b7ac937
36 changed files with 57 additions and 56 deletions
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@ -7,7 +7,7 @@

  ptrace (read) peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{hex}/bus/systemctl/,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemctl/,

  @{bin}/systemctl mr,

--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -30,8 +30,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {

  ptrace (read) peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-system,
-  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user,

  #aa:dbus own bus=session name=org.freedesktop.systemd1

--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {

  signal (send) peer=apt-methods-*,

-  unix (bind) type=stream addr=@@{hex}/bus/apt/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/apt/system,
  unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
  unix (send, receive) type=stream peer=(label=snapd),

--- a/apparmor.d/groups/apt/dpkg-deb
+++ b/apparmor.d/groups/apt/dpkg-deb
@ -26,12 +26,12 @@ profile dpkg-deb @{exec_path} {
  owner /var/lib/dpkg/tmp.ci/ w,
  owner /var/lib/dpkg/tmp.ci/* w,

+        @{user_pkg_dirs}/** r,
  owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
-  owner @{user_pkg_dirs}/** r,

-  audit owner @{tmp}/dpkg-deb.* rw,
-  audit owner @{tmp}/dpkg-deb.*/ rw,
-  audit owner @{tmp}/dpkg-deb.*/* rw,
+  owner @{tmp}/dpkg-deb.@{rand6} rw,
+  owner @{tmp}/dpkg-deb.@{rand6}/ rw,
+  owner @{tmp}/dpkg-deb.@{rand6}/* rw,

  include if exists <local/dpkg-deb>
 }
--- a/apparmor.d/groups/bus/at-spi2-registryd
+++ b/apparmor.d/groups/bus/at-spi2-registryd
@ -43,5 +43,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  owner /dev/tty@{int} rw,
+
  include if exists <local/at-spi2-registryd>
 }
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@ -53,6 +53,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
  owner /dev/nvidia-caps/ w,
  owner /dev/nvidia-caps/nvidia-cap@{int} w,

+  /dev/tty@{int} rw,
+
  profile kmod {
    include <abstractions/base>
    include <abstractions/consoles>
@ -62,9 +64,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {

    @{bin}/kmod mr,

-    # @{bin}/{,ba,da}sh ix,
    /etc/modprobe.d/{,*.conf} r,
-    # /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
+    /etc/nvidia/{current,legacy*,tesla*}/*.conf r,

    # @{sys}/module/ipmi_devintf/initstate r,
    # @{sys}/module/ipmi_msghandler/initstate r,
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@ -16,6 +16,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/consoles>

  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.portal.Realtime
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -70,6 +70,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
  owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,

+  owner @{HOME}/ r,
  owner @{HOME}/*/{,**} rw,

  owner @{tmp}/.goutputstream-@{rand6} rw,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -46,7 +46,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  signal (send) set=hup peer=xorg,
  signal (send) set=hup peer=xwayland,

-  unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system,

  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon

--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -108,8 +108,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {

  /dev/tty rw,
  /dev/tty@{int} rw,
- 
-  profile open {
+
+  profile open flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/app-launcher-user>

--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -33,5 +33,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/cmdline r,

+  owner /dev/tty@{int} rw,
+
  include if exists <local/mutter-x11-frames>
 }
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -70,6 +70,7 @@ profile pacman @{exec_path} {
  @{bin}/groupadd                    rPx,
  @{bin}/gtk-query-immodules-{2,3}.0 rPx,
  @{bin}/gtk{,4}-update-icon-cache   rPx,
+  @{bin}/iconvconfig                 rix,
  @{bin}/install-catalog             rPx,
  @{bin}/install-info                rPx,
  @{bin}/iscsi-iname                 rix,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -53,7 +53,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  ptrace (read,trace) peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{hex}/bus/sshd/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/sshd/system,

  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -22,7 +22,7 @@ profile busctl @{exec_path} {

  ptrace (read),

-  unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
+  unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl,

  signal (send) set=(cont) peer=child-pager,

--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -24,7 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {

  ptrace (read) peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{hex}/bus/networkctl/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system,

  #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
  # No label available
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -16,7 +16,7 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {

  capability sys_admin,  # To set a hostname

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-hostnam/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system,

  #aa:dbus own bus=system name=org.freedesktop.hostname1

--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -17,7 +17,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  # Needed?
  audit capability net_admin,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-localed/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system,

  #aa:dbus own bus=system name=org.freedesktop.locale1

--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {

  # mqueue r type=posix /,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-logind/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system,

  #aa:dbus own bus=system name=org.freedesktop.login1

--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@ -17,14 +17,14 @@ profile systemd-modules-load @{exec_path} {

  @{exec_path} mr,

-  @{sys}/module/*/initstate r,
-
  /etc/modprobe.d/ r,
  /etc/modprobe.d/*.conf r,
  /etc/modules r,
  /etc/modules-load.d/ r,
  /etc/modules-load.d/*.conf r,

+  @{sys}/devices/@{pci}/config r,
+  @{sys}/module/*/initstate r,
  @{sys}/module/compression r,

  include if exists <local/systemd-modules-load>
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -27,7 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
  network packet dgram,
  network packet raw,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-network/bus-api-network,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network,

  #aa:dbus own bus=system name=org.freedesktop.network1

--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability kill,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-oomd/bus-api-oom,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom,

  #aa:dbus own bus=system name=org.freedesktop.oom1

--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {

  capability sys_time,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-timedat/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system,

  #aa:dbus own bus=system name=org.freedesktop.timedate1

--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync,
  unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none),

  #aa:dbus own bus=system name=org.freedesktop.timesync1
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -36,40 +36,29 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{exec_path} mrix,

  @{sh_path}               rix,
-  @{bin}/{,e}grep          rix,
+  @{coreutils_path}        rix,
  @{bin}/*-print-pci-ids   rix,
  @{bin}/alsactl          rPUx,
-  @{bin}/cat               rix,
-  @{bin}/chgrp             rix,
-  @{bin}/chmod             rix,
-  @{bin}/cut               rix,
  @{bin}/dmsetup          rPUx,
  @{bin}/ethtool           rix,
-  @{bin}/issue-generator  rPUx,
+  @{bin}/issue-generator   rPx,
  @{bin}/kmod              rPx,
  @{bin}/less              rPx -> child-pager,
-  @{bin}/ln                rix,
  @{bin}/logger            rix,
  @{bin}/ls                rix,
  @{bin}/lvm               rPx,
-  @{bin}/mknod             rPx,
+  @{bin}/mknod             rix,
  @{bin}/more              rPx -> child-pager,
  @{bin}/multipath         rPx,
  @{bin}/nfsrahead         rix,
-  @{bin}/nohup             rix,
  @{bin}/pager             rPx -> child-pager,
  @{bin}/perl              rix,
-  @{bin}/readlink          rix,
-  @{bin}/rm                rix,
-  @{bin}/sed               rix,
  @{bin}/setfacl           rix,
  @{bin}/sg_inq            rix,
  @{bin}/snap             rPUx,
  @{bin}/systemctl         rCx -> systemctl,
  @{bin}/systemd-run       rix,
-  @{bin}/touch             rix,
  @{bin}/unshare           rix,
-  @{bin}/wc                rix,

  @{lib}/crda/*                           rPUx,
  @{lib}/gdm-runtime-config               rPx,
@ -90,13 +79,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {

  /etc/nfs.conf rk,

-  /etc/udev/ r,
-  /etc/udev/udev.conf r,
-  /etc/udev/rules.d/ r,
-  /etc/udev/rules.d/*.rules r,
-
-  /etc/udev/hwdb.d/ r,
-  /etc/udev/hwdb.d/[0-9][0-9]-*.hwdb r,
+  /etc/udev/{,**} r,
  /etc/udev/hwdb.bin rw,
  /etc/udev/.#hwdb.bin* rw,

@ -121,6 +104,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
        @{PROC}/devices r,
        @{PROC}/driver/nvidia/gpus/ r,
        @{PROC}/driver/nvidia/gpus/*/information r,
+        @{PROC}/driver/nvidia/params r,
        @{PROC}/pressure/* r,
        @{PROC}/sys/fs/nr_open r,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/systemd/systemd-update-utmp
+++ b/apparmor.d/groups/systemd/systemd-update-utmp
@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} {

  network netlink raw,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-update-/,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/,

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@ -23,7 +23,7 @@ profile systemd-user-runtime-dir @{exec_path} {
  mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
  umount @{run}/user/@{uid}/,

-  unix (bind) type=stream addr=@@{hex}/bus/systemd-user-ru/system,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system,

  @{exec_path} mr,

--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -22,7 +22,7 @@ profile update-notifier @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/python>

-  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user,

  #aa:dbus talk bus=system name=org.debian.apt label=apt

@ -90,7 +90,7 @@ profile update-notifier @{exec_path} {
    include <abstractions/app/systemctl>
    include <abstractions/bus-system>

-    unix (bind) type=stream addr=@@{hex}/bus/systemctl/system,
+    unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system,

    dbus send bus=system path=/org/freedesktop/systemd1
         interface=org.freedesktop.systemd1.Manager
--- a/apparmor.d/groups/virt/docker-proxy
+++ b/apparmor.d/groups/virt/docker-proxy
@ -21,7 +21,7 @@ profile docker-proxy @{exec_path} {
  @{exec_path} mr,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  
+
  @{PROC}/sys/net/core/somaxconn r,

  include if exists <local/docker-proxy>
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -14,6 +14,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

+  capability dac_override,
  capability dac_read_search,
  capability mknod,
  capability setgid,
--- a/apparmor.d/profiles-a-f/fsck
+++ b/apparmor.d/profiles-a-f/fsck
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/fsck
-profile fsck @{exec_path} {
+profile fsck @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/disks-read>

--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@ -11,7 +11,6 @@ profile login @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
@ -33,8 +32,12 @@ profile login @{exec_path} flags=(attach_disconnected) {

  signal (send) set=(hup term),

+  unix type=stream addr=@@{hex16}/bus/login/system,
+
  ptrace read,

+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+
  @{exec_path} mr,

  @{bin}/@{shells}     rUx,
--- a/apparmor.d/profiles-m-r/mount
+++ b/apparmor.d/profiles-m-r/mount
@ -56,8 +56,7 @@ profile mount @{exec_path} flags=(attach_disconnected) {

        @{run}/ r,
  owner @{run}/mount/ rw,
-  owner @{run}/mount/utab{,.*} rw,
-  owner @{run}/mount/utab.lock wk,
+  owner @{run}/mount/utab{,.*} rwk,

  /tmp/sanity-squashfs-@{int} rw,
  /tmp/syscheck-squashfs-@{int} rw,
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -62,7 +62,10 @@ profile pass @{exec_path} {
  owner @{user_password_store_dirs}/{,**} rw,
  owner /dev/shm/pass.*/{,*} rw,

+  @{sys}/devices/system/node/ r,
+
  @{PROC}/ r,
+  @{PROC}/@{pid}/stat r,
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/uptime r,
--- a/apparmor.d/profiles-m-r/pcscd
+++ b/apparmor.d/profiles-m-r/pcscd
@ -11,6 +11,7 @@ profile pcscd @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>

+  capability net_admin,
  capability sys_ptrace,

  network netlink raw,
@ -29,6 +30,7 @@ profile pcscd @{exec_path} {

  owner @{run}/pcscd/{,pcscd.pid} rw,

+  @{PROC}/@{pid}/fdinfo/@{int} r,
  @{PROC}/@{pids}/stat r,

  include if exists <local/pcscd>
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -48,7 +48,7 @@ profile snapd @{exec_path} {
  ptrace (read) peer=snap,
  ptrace (read) peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{hex}/bus/systemctl/,
+  unix (bind) type=stream addr=@@{hex16}/bus/systemctl/,

  dbus send bus=system path=/org/freedesktop/
         interface=org.freedesktop.login1.Manager
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -28,6 +28,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
  signal (send) set=(cont,hup,winch) peer=su,
  signal (send) set=(winch) peer=child-pager,
  signal (send) set=(winch) peer=journalctl,
+  signal (send) set=(winch) peer=pacman,

  @{bin}/@{shells}                  rUx,
  @{lib}/**                         PUx,