From 4108d6a987fac8f85ec3c1886c31ba1dbfab77a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:42:31 +0000 Subject: [PATCH] feat(profile): update some core profiles. --- apparmor.d/groups/freedesktop/polkitd | 2 ++ apparmor.d/groups/freedesktop/upower | 2 ++ apparmor.d/groups/freedesktop/xdg-permission-store | 1 + apparmor.d/groups/network/netplan.script | 2 ++ apparmor.d/groups/ubuntu/apport | 8 +++++--- apparmor.d/groups/virt/containerd | 11 +++++++---- apparmor.d/profiles-a-f/chsh | 1 + apparmor.d/profiles-s-z/snap | 5 +++++ apparmor.d/profiles-s-z/snap-update-ns | 6 ++++++ apparmor.d/profiles-s-z/snapd-apparmor | 1 + apparmor.d/profiles-s-z/uuidd | 1 + 11 files changed, 33 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 089e6174..a8df0261 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -53,6 +53,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 1cb7c958..2aeb4ee8 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -10,6 +10,8 @@ include @{exec_path} = @{bin}/upower profile upower @{exec_path} { include + include + include # Needed? audit capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 441692de..08cfc840 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -43,6 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 53297493..65d644e7 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -49,6 +49,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, + @{att}/@{run}/systemd/private rw, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index cd018711..11aad0da 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -22,9 +22,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_ptrace, - ptrace (read) peer=gnome-shell, - ptrace (read) peer=snap.cups.cupsd, - ptrace (read) peer=tracker-extract, + ptrace read, @{exec_path} mr, @@ -36,6 +34,10 @@ profile apport @{exec_path} flags=(attach_disconnected) { /usr/share/apport/{,**} r, /etc/apport/report-ignore/{,**} r, + /etc/login.defs r, + + /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.list r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 62751564..4f73ff98 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -83,6 +83,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/docker/containerd/{,**} rwk, @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, + @{run}/nri/ w, + @{run}/nri/nri.sock rw, @{run}/systemd/notify w, /tmp/cri-containerd.apparmor.d@{int} rwl, @@ -94,12 +96,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, /dev/bsg/ r, /dev/bus/ r, diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index f73ae670..f8a2af5c 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 912ab1a8..a8630400 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -29,6 +29,7 @@ profile snap @{exec_path} { mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, #aa:dbus own bus=session name=io.snapcraft.Launcher + #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" @@ -45,6 +46,7 @@ profile snap @{exec_path} { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -108,6 +110,9 @@ profile snap @{exec_path} { network unix stream, + owner @{run}/user/@{uid}/systemd/notify rw, + owner @{run}/user/@{uid}/systemd/private rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 3021a1ad..345c089e 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -23,11 +23,17 @@ profile snap-update-ns @{exec_path} { mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, + umount /snap/**, umount /var/lib/dhcp/, + umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, + umount /usr/share/xml/iso-codes/, @{exec_path} mr, + @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, + /usr/share/xml/iso-codes/ w, + /var/lib/snapd/mount/{,*} r, / r, diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index e7a3b494..6d873982 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -17,6 +17,7 @@ profile snapd-apparmor @{exec_path} { @{bin}/systemd-detect-virt rPx, @{bin}/apparmor_parser rPx, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index 56b89fa2..c1e14d01 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -17,6 +17,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, + @{run}/uuidd/request w, @{att}/@{run}/uuidd/request w, include if exists