From 2d7ec5ad2c6fd32655cdef6bd535ee1b65936a89 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 15 Jul 2022 20:42:15 +0000 Subject: [PATCH] Update spectre-meltdown-checker (#50) * Update spectre-meltdown-checker --- .../profiles-s-z/spectre-meltdown-checker | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index b2fdf5df..b45d6d25 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -9,6 +9,7 @@ include @{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} profile spectre-meltdown-checker @{exec_path} { include + include # Needed to read the /dev/cpu/[0-9]*/msr device capability sys_rawio, @@ -56,11 +57,14 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/{,@{multiarch}-}strings rix, /{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}{s,}bin/iucode_tool rix, + /{usr/,}{s,}bin/rdmsr rix, /{usr/,}bin/dmesg rix, /{usr/,}{s,}bin/mount rix, /{usr/,}bin/find rix, /{usr/,}bin/xargs rix, /{usr/,}bin/readlink rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/date rix, /{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/ccache rCx -> ccache, @@ -71,13 +75,12 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/sqlite3 rCx -> mcedb, owner /tmp/mcedb-* rw, owner /tmp/smc-* rw, - owner /tmp/intelfw-*/ rw, - owner /tmp/intelfw-*/fw.zip rw, - owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw, - owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw, + owner /tmp/{,smc-}intelfw-*/ rw, + owner /tmp/{,smc-}intelfw-*/fw.zip rw, + owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, owner @{HOME}/.mcedb rw, - owner @{exec_path} w, /tmp/ r, owner /tmp/{config,kernel}-* rw, @@ -99,8 +102,8 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/modules r, # find and denoise - @{PROC}/@{pid}/{status,exe} r, - @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/{status,exe} r, + @{PROC}/@{pids}/fd/ r, @{PROC}/*/ r, /var/lib/dbus/machine-id r, @@ -110,7 +113,6 @@ profile spectre-meltdown-checker @{exec_path} { /root/ r, /etc/ r, - profile ccache { include @@ -124,10 +126,12 @@ profile spectre-meltdown-checker @{exec_path} { /etc/debian_version r, + include if exists } profile pgrep { include + include /{usr/,}bin/pgrep mr, @@ -137,6 +141,7 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, + include if exists } profile mcedb { @@ -146,22 +151,33 @@ profile spectre-meltdown-checker @{exec_path} { include include + deny capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + /{usr/,}bin/wget mr, /{usr/,}bin/sqlite3 mr, /etc/wgetrc r, owner @{HOME}/.wget-hsts rwk, + owner @{HOME}/.mcedb rw, /tmp/ r, - owner /tmp/mcedb-* rwk, - owner /tmp/intelfw-*/fw.zip rw, + owner /tmp/{,smc-}mcedb-* rwk, + owner /tmp/{,smc-}intelfw-*/fw.zip rw, /usr/share/publicsuffix/public_suffix_list.* r, + include if exists } profile kmod { include + include capability sys_module, @@ -175,6 +191,7 @@ profile spectre-meltdown-checker @{exec_path} { @{PROC}/cmdline r, + include if exists } include if exists