From 3538d672edbff31ffb70c086c5004808d08586ff Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 13 Nov 2024 19:07:05 +0000
Subject: [PATCH] feat: profiles and integration tests improvments.

---
 .github/workflows/main.yml                      | 10 +++++++++-
 apparmor.d/abstractions/app/sudo                |  9 +++++----
 apparmor.d/abstractions/attached/base           |  2 ++
 apparmor.d/groups/bus/dbus-system               |  2 +-
 apparmor.d/groups/network/NetworkManager        |  5 +++--
 apparmor.d/groups/network/netplan.script        |  8 +++++++-
 apparmor.d/groups/ssh/ssh-keygen                |  1 +
 apparmor.d/groups/systemd/hostnamectl           |  1 +
 apparmor.d/groups/systemd/systemd-homed         |  3 +++
 apparmor.d/profiles-m-r/needrestart-apt-pinvoke |  2 ++
 apparmor.d/profiles-s-z/sudo                    |  2 --
 tests/bats/homectl.bats                         |  1 +
 tests/bats/snap.bats                            |  1 -
 tests/bats/systemd-id128.bats                   |  6 ------
 tests/requirements.sh                           |  2 +-
 15 files changed, 36 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 59449cb4..14ca250e 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -15,6 +15,7 @@ jobs:
 
   build:
     runs-on: ${{ matrix.os }}
+    needs: check
     strategy:
       matrix:
         os:
@@ -93,7 +94,6 @@ jobs:
           sudo apt-get install -y \
             apparmor-profiles apparmor-utils \
             bats bats-support
-          bash tests/requirements.sh
 
       - name: Install apparmor.d
         run: |
@@ -101,6 +101,14 @@ jobs:
           sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
           sudo systemctl restart apparmor.service
 
+      - name: Github Action specific requirements
+        run: |
+          bash tests/requirements.sh
+          sudo systemctl restart ModemManager NetworkManager
+          sudo systemctl restart polkit snapd
+          sudo systemctl restart systemd-hostnamed systemd-logind
+          sudo systemctl restart packagekit udisks2
+
       - name: Run the bats integration tests
         run: |
           make bats
diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index 385ded54..be3b5f7e 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -24,10 +24,11 @@
 
   network netlink raw,   # PAM
 
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.logi1.Manager
-       member=CreateSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+  unix bind type=stream addr=@@{hex15}/bus/sudo/system,
+  unix bind type=stream addr=@@{hex16}/bus/sudo/system,
+
+  #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
 
   dbus (send receive) bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd.Manager
diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base
index 1f37de00..9a53d154 100644
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@@ -7,8 +7,10 @@
 
   abi <abi/4.0>,
 
+  @{att}/@{run}/systemd/journal/dev-log w,
   @{att}/@{run}/systemd/journal/socket w,
 
+  deny /apparmor/.null rw,
   deny @{att}/apparmor/.null rw,
 
   include if exists <abstractions/attached/base.d>
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index 6ef4e44e..e4eef275 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -33,7 +33,7 @@ profile dbus-system flags=(attach_disconnected) {
 
   ptrace (read) peer=@{p_systemd},
 
-  #aa:dbus own bus=system name=org.freedesktop.DBus
+  #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index de4644bd..f5b9e921 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -128,10 +128,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+rfkill:* r,
   @{run}/udev/data/n@{int} r,
 
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/virtual/net/{,**} r,
   @{sys}/devices/@{pci}/net/*/{,**} r,
   @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r,
+  @{sys}/devices/**/@{uuid}/net/*/{,**} r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/virtual/net/{,**} r,
 
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/environ r,
diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script
index 7f558a1c..22f1e630 100644
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@@ -12,6 +12,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{lib}/netplan/generate  rix,
@@ -25,12 +27,16 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
   @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
   @{run}/NetworkManager/system-connections/ rw,
   @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
+  @{run}/systemd/network/ r,
+  @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw,
   @{run}/systemd/system/ r,
   @{run}/systemd/system/netplan-* rw,
+  @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r,
+  @{run}/systemd/system/systemd-networkd-wait-online.service.d/10-netplan.conf w,
   @{run}/systemd/system/systemd-networkd.service.wants/ rw,
   @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
   @{run}/udev/rules.d/ r,
-  @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,
+  @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
 
   profile udevadm {
     include <abstractions/base>
diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen
index 05a21d41..14cbd3c8 100644
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@@ -22,6 +22,7 @@ profile ssh-keygen @{exec_path} {
   owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,
 
   /tmp/snapd@{int}/*_*{,.pub} w,
+  /tmp/snapd@{int}/*.key{,.pub} w,
 
   /dev/tty@{int} rw,
   /dev/ttyS@{int} rw,
diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl
index 91fc31b5..2429d235 100644
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@@ -10,6 +10,7 @@ include <tunables/global>
 profile hostnamectl @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/consoles>
 
   capability net_admin,
diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed
index 5fe748ab..de09a72a 100644
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@@ -35,6 +35,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   mount options=(rw, rslave) -> @{run}/,
   mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/,
 
+  unix bind type=stream addr=@@{hex16}/bus/systemd-homed/system,
+
   #aa:dbus own bus=system name=org.freedesktop.home1
 
   @{exec_path} mr,
@@ -61,6 +63,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/home/{,**} rw,
   @{run}/systemd/userdb/io.systemd.home r,
   @{run}/systemd/user-home-mount/{,**} rw,
+  @{run}/systemd/notify w,
 
   @{sys}/bus/ r,
   @{sys}/fs/ r,
diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
index 0a9e1dc3..5f391210 100644
--- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
+++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
@@ -13,6 +13,8 @@ profile needrestart-apt-pinvoke @{exec_path} {
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/consoles>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   @{sh_path}              rix,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index ca9f66d2..1e674823 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -31,8 +31,6 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
   signal (send) set=(winch) peer=pacman,
   signal (send) set=(winch, hup, term) peer=rpm,
 
-  unix bind type=stream addr=@@{hex16}/bus/sudo/system/,
-
   @{bin}/@{shells}                  rUx,
   @{lib}/**                         PUx,
   /opt/*/**                         PUx,
diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats
index 2fee7907..2ce62214 100644
--- a/tests/bats/homectl.bats
+++ b/tests/bats/homectl.bats
@@ -7,6 +7,7 @@ load common
 
 setup_file() {
     aa_setup
+    skip
 }
 
 # bats test_tags=homectl
diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats
index a54dda82..ef6a292d 100644
--- a/tests/bats/snap.bats
+++ b/tests/bats/snap.bats
@@ -7,7 +7,6 @@ load common
 
 setup_file() {
     aa_setup
-    skip
 }
 
 # bats test_tags=snap
diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats
index 3b18bd03..9a9def4d 100644
--- a/tests/bats/systemd-id128.bats
+++ b/tests/bats/systemd-id128.bats
@@ -27,12 +27,6 @@ setup_file() {
     aa_check
 }
 
-# bats test_tags=systemd-id128
-@test "systemd-id128: Print the identifier of the current service invocation (this is available in systemd services)" {
-    systemd-id128 invocation-id
-    aa_check
-}
-
 # bats test_tags=systemd-id128
 @test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" {
     systemd-id128 new --uuid
diff --git a/tests/requirements.sh b/tests/requirements.sh
index 91adc003..c12f9249 100644
--- a/tests/requirements.sh
+++ b/tests/requirements.sh
@@ -19,7 +19,7 @@ arch)
 	;;
 debian | ubuntu | whonix)
 	sudo apt-get install -y \
-		cpuid dfc systemd-userdbd
+		cpuid dfc systemd-userdbd systemd-homed tlp
 	;;
 opensuse*)
 	;;