Update spectre-meltdown-checker (#50)

* Update spectre-meltdown-checker
2024-11-15 16:03:51 +01:00 · 2022-07-15 20:42:15 +00:00 · 2022-07-15 20:42:15 +00:00 · 2d7ec5ad2c
commit 2d7ec5ad2c
parent 63f1a98c37
1 changed files with 27 additions and 10 deletions
--- a/apparmor.d/profiles-s-z/spectre-meltdown-checker
+++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh}
 profile spectre-meltdown-checker @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  # Needed to read the /dev/cpu/[0-9]*/msr device
  capability sys_rawio,
@ -56,11 +57,14 @@ profile spectre-meltdown-checker @{exec_path} {
  /{usr/,}bin/{,@{multiarch}-}strings rix,
  /{usr/,}bin/{,@{multiarch}-}objdump rix,
  /{usr/,}{s,}bin/iucode_tool         rix,
+  /{usr/,}{s,}bin/rdmsr               rix,
  /{usr/,}bin/dmesg                   rix,
  /{usr/,}{s,}bin/mount  rix,
  /{usr/,}bin/find       rix,
  /{usr/,}bin/xargs      rix,
  /{usr/,}bin/readlink   rix,
+  /{usr/,}bin/nproc      rix,
+  /{usr/,}bin/date       rix,
  
  /{usr/,}bin/pgrep      rCx -> pgrep,
  /{usr/,}bin/ccache     rCx -> ccache,
@ -71,13 +75,12 @@ profile spectre-meltdown-checker @{exec_path} {
  /{usr/,}bin/sqlite3    rCx -> mcedb,
  owner /tmp/mcedb-* rw,
  owner /tmp/smc-* rw,
-  owner /tmp/intelfw-*/ rw,
-  owner /tmp/intelfw-*/fw.zip rw,
-  owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw,
-  owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw,
+  owner /tmp/{,smc-}intelfw-*/ rw,
+  owner /tmp/{,smc-}intelfw-*/fw.zip rw,
+  owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw,
+  owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw,

  owner @{HOME}/.mcedb rw,
-  owner @{exec_path} w,

        /tmp/ r,
  owner /tmp/{config,kernel}-* rw,
@ -99,8 +102,8 @@ profile spectre-meltdown-checker @{exec_path} {
  @{PROC}/modules r,

  # find and denoise
-  @{PROC}/@{pid}/{status,exe} r,
-  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pids}/{status,exe} r,
+  @{PROC}/@{pids}/fd/ r,
  @{PROC}/*/ r,

  /var/lib/dbus/machine-id r,
@ -110,7 +113,6 @@ profile spectre-meltdown-checker @{exec_path} {
  /root/ r,
  /etc/ r,

-
  profile ccache {
    include <abstractions/base>

@ -124,10 +126,12 @@ profile spectre-meltdown-checker @{exec_path} {

    /etc/debian_version r,

+    include if exists <local/spectre-meltdown-checker_ccache>
  }

  profile pgrep {
    include <abstractions/base>
+    include <abstractions/consoles>

    /{usr/,}bin/pgrep mr,

@ -137,6 +141,7 @@ profile spectre-meltdown-checker @{exec_path} {
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/uptime r,

+    include if exists <local/spectre-meltdown-checker_pgrep>
  }

  profile mcedb {
@ -146,22 +151,33 @@ profile spectre-meltdown-checker @{exec_path} {
    include <abstractions/openssl>
    include <abstractions/ssl_certs>

+    deny capability net_admin,
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
+    network netlink raw,
+
    /{usr/,}bin/wget mr,
    /{usr/,}bin/sqlite3 mr,

    /etc/wgetrc r,
    owner @{HOME}/.wget-hsts rwk,
+    owner @{HOME}/.mcedb rw,

          /tmp/ r,
-    owner /tmp/mcedb-* rwk,
-    owner /tmp/intelfw-*/fw.zip rw,
+    owner /tmp/{,smc-}mcedb-* rwk,
+    owner /tmp/{,smc-}intelfw-*/fw.zip rw,

    /usr/share/publicsuffix/public_suffix_list.* r,

+    include if exists <local/spectre-meltdown-checker_mcedb>
  }

  profile kmod {
    include <abstractions/base>
+    include <abstractions/consoles>

    capability sys_module,

@ -175,6 +191,7 @@ profile spectre-meltdown-checker @{exec_path} {

    @{PROC}/cmdline r,

+    include if exists <local/spectre-meltdown-checker_kmod>
  }

  include if exists <local/spectre-meltdown-checker>