fix(profile): firt set of issues raised by the integration tests

2024-11-14 15:33:47 +01:00 · 2024-10-21 22:00:02 +01:00 · 2024-10-21 22:00:02 +01:00 · 2823f7562b
commit 2823f7562b
parent 48738a4cae
5 changed files with 11 additions and 3 deletions
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@ -20,6 +20,8 @@
  @{sys}/devices/@{pci}/host@{int}/** r,
  @{sys}/devices/@{pci}/usb@{int}/** r,
  @{sys}/devices/@{pci}/virtio@{int}/** r,
+  @{sys}/devices/**/host@{int}/**/block/{s,v}d[a-z]/ r,
+  @{sys}/devices/**/host@{int}/**/block/{s,v}d[a-z]/** r,

  # SSD Nvme devices
  /dev/nvme[0-9]* rk,
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@ -20,6 +20,8 @@
  @{sys}/devices/@{pci}/host@{int}/** r,
  @{sys}/devices/@{pci}/usb@{int}/** r,
  @{sys}/devices/@{pci}/virtio@{int}/** r,
+  @{sys}/devices/**/host@{int}/**/block/{s,v}d[a-z]/ r,
+  @{sys}/devices/**/host@{int}/**/block/{s,v}d[a-z]/** r,

  # SSD Nvme devices
  /dev/nvme[0-9]* rwk,
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@ -6,7 +6,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit
+@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable
 profile aa-enforce @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/profiles-a-f/blkid
+++ b/apparmor.d/profiles-a-f/blkid
@ -23,6 +23,8 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
  @{etc_rw}/blkid.tab{,-@{rand6}} rw,
  @{etc_rw}/blkid.tab.old rwl -> /etc/blkid.tab,

+  /.ismount-test-file rw,
+
  # Image files
  @{user_img_dirs}/{,**} r,

@ -34,8 +36,9 @@ profile blkid @{exec_path} flags=(attach_disconnected) {

  @{run}/cloud-init/ds-identify.log w, # file_inherit

-  # For the EVALUATE=scan method
+  @{PROC}/@{pid}/mounts r,
  @{PROC}/partitions r,
+  @{PROC}/swaps r,

  owner /dev/tty@{int} rw,

--- a/apparmor.d/profiles-g-l/lspci
+++ b/apparmor.d/profiles-g-l/lspci
@ -30,10 +30,11 @@ profile lspci @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/.pciids-cache.tmp-*-@{pid} rw,
  owner @{HOME}/.pciids-cache rw,
+  owner @{user_cache_dirs}/pci-ids rw,

  @{sys}/bus/pci/devices/ r,
  @{sys}/bus/pci/slots/ r,
-  @{sys}/bus/pci/slots/@{int}/address r,
+  @{sys}/bus/pci/slots/@{int}-@{int}/address r,
  @{sys}/devices/@{pci}/** r,
  @{sys}/module/compression r,