feat(profile): general update.

2024-11-15 07:54:17 +01:00 · 2024-02-23 20:21:22 +00:00 · 2024-02-23 20:21:22 +00:00 · 2ea53a9dc3
commit 2ea53a9dc3
parent f5084ca150
14 changed files with 26 additions and 14 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -107,7 +107,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  @{bin}/mandb                      rPx -> systemd-service,
  @{bin}/savelog                    rPx -> systemd-service,
  @{coreutils_path}                 rPx -> systemd-service,
-  @{shells_path}                    rPx -> systemd-service,
+  @{sh_path}                        rPx -> systemd-service,

  @{bin}/**                         PUx,
  @{lib}/**                         PUx,
@ -128,8 +128,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  /var/tmp/ r,
  @{lib}/ r,

-  /usr/share/** r,
-
  /etc/binfmt.d/{,**} r,
  /etc/conf.d/{,**} r,
  /etc/credstore.encrypted/{,**} r,
@ -139,6 +137,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  /etc/machine-id r,
  /etc/modules-load.d/{,**} r,
  /etc/systemd/{,**} r,
+  /etc/udev/hwdb.d/{,**} r,

        /var/lib/systemd/{,**} rw,
  owner /var/tmp/systemd-private-*/{,**} rw,
--- a/apparmor.d/groups/_full/systemd-service
+++ b/apparmor.d/groups/_full/systemd-service
@ -23,7 +23,7 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
  @{bin}/systemctl     rix,
  @{bin}/gzip          rix,
  @{coreutils_path}    rix,
-  @{shells_path}      rmix,
+  @{sh_path}          rmix,

  # shadow.service
  @{bin}/pwck          rPx,
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -4,7 +4,7 @@

 # Profile for 'systemd --user', not PID 1 but the user manager for any UID.
 # It does not specify an attachment path because it is intended to be used only
-# via "AppArmorProfile=systemd-user" from a systemd unit file.
+# via "px -> systemd-user" exec transitions from the `systemd` profile.

 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer. See https://apparmor.pujol.io/full-system-policy/.
--- a/apparmor.d/groups/cron/cron-ntp
+++ b/apparmor.d/groups/cron/cron-ntp
@ -12,7 +12,7 @@ profile cron-ntp @{exec_path} {

  @{exec_path} r,

-  @{shells_path} rix,
+  @{sh_path}     rix,
  @{bin}/cat     rix,
  @{bin}/grep    rix,
  @{bin}/sed     rix,
--- a/apparmor.d/groups/systemd/systemd-generator-cloud-init
+++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init
@ -15,6 +15,7 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{sh_path}                     rix,
+  @{bin}/mkdir                   rix,
  @{bin}/systemd-detect-virt     rPx,
  @{lib}/cloud-init/ds-identify rPUx,

--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@ -14,8 +14,11 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{sh_path}        r,
-  @{bin}/uname rix,
+  @{sh_path}                     rix,
+  @{bin}/blkid                   rPx,
+  @{bin}/systemd-detect-virt     rPx,
+  @{bin}/tr                      rix,
+  @{bin}/uname                   rix,

  @{run}/cloud-init/.ds-identify.result r,

--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -113,6 +113,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
  @{sys}/fs/cgroup/memory.max r,
  @{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
+  @{sys}/kernel/kexec_loaded r,
  @{sys}/module/vt/parameters/default_utf8 r,
  @{sys}/power/{state,resume_offset,resume,disk} r,

--- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
+++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
@ -39,7 +39,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
    @{sys}/devices/virtual/block/**/ r,
    @{sys}/devices/virtual/block/**/autoclear r,
    @{sys}/devices/virtual/block/**/backing_file r,
-    @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
+    @{sys}/devices/virtual/block/dm-@{int}/dm/name r,

    @{PROC}/@{pid}/mountinfo r,

--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@ -10,6 +10,7 @@ include <tunables/global>
 profile cockpit-certificate-helper @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>

  @{exec_path} mr,

@ -18,11 +19,13 @@ profile cockpit-certificate-helper @{exec_path} {
  @{bin}/id rix,
  @{bin}/mkdir rix,
  @{bin}/mv rix,
+  @{bin}/openssl rix,
  @{bin}/rm rix,
  @{bin}/sscg rix,
  @{bin}/tr rix,

  /etc/machine-id r,
+  /etc/cockpit/ws-certs.d/* w,

  owner @{run}/cockpit/certificate-helper/{,**} rw,

--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@ -24,6 +24,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  @{bin}/unix_chkpwd rPx,
+
  @{bin}/{,z,ba,da}sh    rix,
  @{bin}/cockpit-bridge  rPx,
  @{lib}/cockpit/cockpit-pcp  rPx,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -115,7 +115,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{bin}/virtiofsd                            rux, # TODO: WIP
  @{bin}/virtlogd                             rPx,

-  @{shells_path}                rix,
+  @{sh_path}                    rix,
  @{bin}/ip                     rix,
  @{bin}/qemu-img               rUx, # TODO: Integration with virt-aa-helper
  @{bin}/qemu-system*           rUx, # TODO: Integration with virt-aa-helper
--- a/apparmor.d/groups/whonix/torbrowser
+++ b/apparmor.d/groups/whonix/torbrowser
@ -27,12 +27,13 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  include <abstractions/desktop>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics-full>
+  include <abstractions/graphics>
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
+  include <abstractions/user-read>

  # userns,

--- a/apparmor.d/profiles-g-l/ip
+++ b/apparmor.d/profiles-g-l/ip
@ -30,16 +30,17 @@ profile ip @{exec_path} flags=(attach_disconnected) {
  umount /sys/,

  @{exec_path} mrix,
-  @{shells_path} rix,
+  @{sh_path} rix,

  / r,

  /etc/iproute2/{,**} r,
  /etc/netns/*/ r,

-  owner @{run}/netns/ rwk,
+  /usr/share/iproute2/{,**} r,
+
        @{run}/netns/* rw,
-  owner @{run}/netns/ rw,
+  owner @{run}/netns/ rwk,

  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/net/dev_mcast r,
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@ -26,6 +26,7 @@ profile pkttyagent @{exec_path} {
  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9]  rPx,
  @{lib}/polkit-agent-helper-[0-9]               rPx,

+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pids}/stat r,

  /dev/tty rw,