From 2246e8ae63be1285de0c0015627937e75d5c618e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 9 Dec 2022 19:12:19 +0000 Subject: [PATCH] feat(profiles): merge the two packagekitd profiles in one. --- apparmor.d/groups/ubuntu/packagekitd | 116 --------------------------- apparmor.d/profiles-m-r/packagekitd | 67 ++++++++++++---- dists/flags/ubuntu.flags | 1 - 3 files changed, 52 insertions(+), 132 deletions(-) delete mode 100644 apparmor.d/groups/ubuntu/packagekitd diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd deleted file mode 100644 index 1ee639fb..00000000 --- a/apparmor.d/groups/ubuntu/packagekitd +++ /dev/null @@ -1,116 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{libexec}/packagekitd -profile packagekitd @{exec_path} { - include - include - include - include - - capability chown, - capability dac_override, - capability dac_read_search, - capability fowner, - capability kill, - capability setgid, - capability setuid, - capability sys_nice, - - network netlink raw, - - signal send set=int peer=apt-methods-*, - - dbus (send,receive) bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.{DBus.*,PackageKit}, - - dbus send bus=system path=/[0-9]*_@{hex} - interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction} - peer=(name=org.freedesktop.DBus), - - dbus send bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.DBus.Properties - member=GetAll, - - dbus send bus=system path=/org/freedesktop/DBus{,/Bus} - interface=org.freedesktop.DBus - member={RequestName,GetConnectionUnixUser}, - - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member=CheckAuthorization, - - dbus receive bus=system path=/[0-9]*_@{hex} - interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction}, - # peer=(name=org.freedesktop.DBus), - - dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority - interface=org.freedesktop.PolicyKit[0-9].Authority - member=Changed, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.NetworkManager - member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged}, - - dbus receive bus=system path=/org/freedesktop/NetworkManager - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged, - - dbus receive bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager - member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} - peer=(name=:*, label=systemd-logind), - - dbus bind bus=system - name=org.freedesktop.PackageKit, - - @{exec_path} mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/appstreamcli rPx, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/echo rix, - /{usr/,}bin/gdbus rix, - /{usr/,}bin/ischroot rix, - /{usr/,}bin/test rix, - /{usr/,}bin/touch rix, - /{usr/,}lib/apt/methods/* rPx, - /{usr/,}lib/cnf-update-db rPx, - /{usr/,}lib/update-notifier/update-motd-updates-available rPx, - - /usr/share/dpkg/tupletable r, - /usr/share/dpkg/cputable r, - - /etc/PackageKit/PackageKit.conf r, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /var/cache/apt/ r, - /var/cache/apt/** rwk, - /var/cache/PackageKit/downloads/ r, - - /var/lib/apt/lists/** rw, - /var/lib/apt/lists/lock rwk, - /var/lib/apt/periodic/update-success-stamp rw, - /var/lib/dpkg/info/{,*} r, - /var/lib/PackageKit/{,*} rw, - /var/lib/PackageKit/transactions.db rwk, - - owner @{run}/systemd/users/@{uid} r, - - owner @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, - - include if exists -} diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 4f14bf66..58081616 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -15,7 +15,14 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include include if exists + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability kill, capability net_admin, + capability setgid, + capability setuid, capability sys_nice, network inet stream, @@ -24,13 +31,23 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal send set=int peer=apt-methods-*, + dbus receive bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Properties peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.{DBus.Introspectable,PackageKit} + member={Introspect,StateHasChanged} + peer=(name=:*, label=apt), + + dbus (send,receive) bus=system path=/[0-9]*_@{hex} + interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction}, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=RequestName + member={RequestName,GetConnectionUnixUser} peer=(name=org.freedesktop.DBus, label=dbus-daemon), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -40,10 +57,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=CheckPermissions + member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged} peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.DBus.Properties member=GetAll @@ -54,26 +70,46 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { member=Changed peer=(name=:*, label=polkitd), - dbus bind bus=system name= org.freedesktop.PackageKit, + dbus receive bus=system path=/org/freedesktop/login[0-9] + interface=org.freedesktop.login[0-9].Manager + member={SessionNew,PrepareForShutdown,SessionRemoved,UserNew,UserRemoved,PrepareForSleep} + peer=(name=:*, label=systemd-logind), + + dbus bind bus=system + name=org.freedesktop.PackageKit, @{exec_path} mr, - /{usr/,}bin/dpkg rPx -> child-dpkg, - /{usr/,}bin/gpg rCx -> gpg, /{usr/,}bin/gpgconf rCx -> gpg, /{usr/,}bin/gpgsm rCx -> gpg, - /etc/pacman.conf r, - /etc/pacman.d//{,**} r, - /etc/PackageKit/{,**} r, + /{usr/,}{s,}bin/ldconfig rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/echo rix, + /{usr/,}bin/gdbus rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/test rix, + /{usr/,}bin/touch rix, - /var/cache/PackageKit/{,**} rw, - /var/cache/pacman/pkg/{,**} rw, - /var/lib/PackageKit/{,**} rwk, - /var/lib/pacman/{,**} rwk, - /var/log/*PackageKit.log rw, - /var/log/pacman.log rw, + /{usr/,}bin/appstreamcli rPx, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/glib-compile-schemas rPx, + /{usr/,}bin/update-desktop-database rPx, + /{usr/,}lib/apt/methods/* rPx, + /{usr/,}lib/cnf-update-db rPx, + /{usr/,}lib/update-notifier/update-motd-updates-available rPx, + /usr/share/libalpm/scripts/* rPx, + + # Install/update packages + / r, + /*{,/} rw, + /boot/** rwl -> /boot/**, + /etc/** rwl -> /etc/**, + /opt/** rwl -> /opt/**, + /srv/** rwl -> /srv/**, + /usr/** rwlk -> /usr/**, + /var/** rwlk -> /var/**, owner /tmp/packagekit* rw, @@ -81,6 +117,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/users/@{uid} r, @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 047990aa..c4f02724 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -9,7 +9,6 @@ list-oem-metapackages complain livepatch-notification complain notify-reboot-required complain package-system-locked attach_disconnected,complain -packagekitd complain release-upgrade-motd complain software-properties-gtk software-properties-gtk complain