From 24cf14ff3ad9695de94d3dbcf8dfd59db0afacd8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 3 Jun 2022 20:20:32 +0100 Subject: [PATCH] feat(profiles): initial version of some ubuntu related profiles. --- apparmor.d/groups/ubuntu/apport-gtk | 60 +++++++++++++++++++ apparmor.d/groups/ubuntu/apt-esm-hook | 21 +++++++ .../groups/ubuntu/check-new-release-gtk | 41 +++++++++++++ apparmor.d/groups/ubuntu/hwe-support-status | 26 ++++++++ .../groups/ubuntu/list-oem-metapackages | 27 +++++++++ apparmor.d/groups/ubuntu/update-manager | 49 +++++++++++++++ 6 files changed, 224 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apport-gtk create mode 100644 apparmor.d/groups/ubuntu/apt-esm-hook create mode 100644 apparmor.d/groups/ubuntu/check-new-release-gtk create mode 100644 apparmor.d/groups/ubuntu/hwe-support-status create mode 100644 apparmor.d/groups/ubuntu/list-oem-metapackages create mode 100644 apparmor.d/groups/ubuntu/update-manager diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk new file mode 100644 index 00000000..bf2eb41d --- /dev/null +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/apport/apport-gtk +profile apport-gtk @{exec_path} { + include + include + include + + capability sys_ptrace, + + @{exec_path} mr, + + /{usr/,}{s,}bin/killall5 rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/cut rix, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/gdb rCx -> gdb, + /{usr/,}bin/grep rix, + /{usr/,}bin/gsettings rPx, + /{usr/,}bin/journalctl rPx, + /{usr/,}bin/kmod rPx, + /{usr/,}bin/ldd rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/md5sum rix, + + /usr/share/apport/general-hooks/*.py r, + + /etc/apport/blacklist.d/apport r, + /etc/apport/blacklist.d/README.blacklist r, + /etc/apport/crashdb.conf r, + /etc/bash_completion.d/apport_completion r, + /etc/cron.daily/apport r, + /etc/default/apport r, + /etc/init.d/apport r, + /etc/logrotate.d/apport r, + + /var/lib/dpkg/info/*.md5sums r, + /var/log/installer/media-info r, + + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + + profile gdb { + include + /{usr/,}bin/gdb mr, + + } + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook new file mode 100644 index 00000000..5e4c703c --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-hook +profile apt-esm-hook @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk new file mode 100644 index 00000000..ddba1dc3 --- /dev/null +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk +profile check-new-release-gtk @{exec_path} { + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/distro-info/{,**} r, + /usr/share/icons/{,**} r, + /usr/share/themes/{,**} r, + /usr/share/ubuntu-release-upgrader/{,**} r, + /usr/share/update-manager/{,**} r, + + /etc/update-manager/{,**} r, + + owner @{user_cache_dirs}/update-manager-core/{,**} rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status new file mode 100644 index 00000000..83cb07e3 --- /dev/null +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/hwe-support-status +profile hwe-support-status @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/lsb_release rPx -> lsb_release, + + /usr/share/distro-info/{,**} r, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages new file mode 100644 index 00000000..ec8706f8 --- /dev/null +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/list-oem-metapackages +profile list-oem-metapackages @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/ischroot rix, + + @{sys}/devices/**/ r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/filesystems r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager new file mode 100644 index 00000000..869866f3 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-manager @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/update-manager +profile update-manager @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/hwe-support-status rPx, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/snap rPUx, + /{usr/,}bin/uname rix, + /{usr/,}lib/apt/methods/http{,s} rPx, + + /usr/share/applications/{,**} r, + /usr/share/distro-info/{,**} r, + /usr/share/icons/{,**} r, + /usr/share/ubuntu-release-upgrader/{,**} r, + /usr/share/update-manager/{,**} r, + /usr/share/X11/{,**} r, + + /etc/machine-id r, + /etc/update-manager/{,**} r, + + /var/lib/update-manager/{,**} rw, + + owner @{user_cache_dirs}/update-manager-core/{,**} rw, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file