mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-12-26 15:06:45 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): update some core profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-11-12 20:42:31 +00:00
parent cf2998b7bd
commit 4108d6a987
Failed to generate hash of commit
11 changed files with 33 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/freedesktop/polkitd
View file

@ -53,6 +53,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
/var/lib/polkit{,-1}/localauthority/{,**} r, /var/lib/polkit{,-1}/localauthority/{,**} r,
owner /var/lib/polkit{,-1}/.cache/ rw, owner /var/lib/polkit{,-1}/.cache/ rw,
@{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
@{run}/systemd/sessions/* r, @{run}/systemd/sessions/* r,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,

2
apparmor.d/groups/freedesktop/upower
View file

@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} = @{bin}/upower @{exec_path} = @{bin}/upower
profile upower @{exec_path} { profile upower @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/consoles>
# Needed? # Needed?
audit capability sys_nice, audit capability sys_nice,

1
apparmor.d/groups/freedesktop/xdg-permission-store
View file

@ -43,6 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/ rw,
owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
owner @{user_share_dirs}/flatpak/db/background rw, owner @{user_share_dirs}/flatpak/db/background rw,
owner @{user_share_dirs}/flatpak/db/desktop-used-apps r,
owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/devices rw,
owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/documents rw,
owner @{user_share_dirs}/flatpak/db/notifications rw, owner @{user_share_dirs}/flatpak/db/notifications rw,

2
apparmor.d/groups/network/netplan.script
View file

@ -49,6 +49,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
@{att}/@{run}/systemd/private rw,
include if exists <local/netplan.script_systemctl> include if exists <local/netplan.script_systemctl>
} }

8
apparmor.d/groups/ubuntu/apport
View file

@ -22,9 +22,7 @@ profile apport @{exec_path} flags=(attach_disconnected) {
capability setuid, capability setuid,
capability sys_ptrace, capability sys_ptrace,
ptrace (read) peer=gnome-shell, ptrace read,
ptrace (read) peer=snap.cups.cupsd,
ptrace (read) peer=tracker-extract,
@{exec_path} mr, @{exec_path} mr,
@ -36,6 +34,10 @@ profile apport @{exec_path} flags=(attach_disconnected) {
/usr/share/apport/{,**} r, /usr/share/apport/{,**} r,
/etc/apport/report-ignore/{,**} r, /etc/apport/report-ignore/{,**} r,
/etc/login.defs r,
/var/lib/dpkg/info/ r,
/var/lib/dpkg/info/*.list r,
/var/crash/ rw, /var/crash/ rw,
/var/crash/*.@{uid}.crash rw, /var/crash/*.@{uid}.crash rw,

11
apparmor.d/groups/virt/containerd
View file

@ -83,6 +83,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
@{run}/docker/containerd/{,**} rwk, @{run}/docker/containerd/{,**} rwk,
@{run}/netns/ w, @{run}/netns/ w,
@{run}/netns/cni-@{uuid} rw, @{run}/netns/cni-@{uuid} rw,
@{run}/nri/ w,
@{run}/nri/nri.sock rw,
@{run}/systemd/notify w, @{run}/systemd/notify w,
/tmp/cri-containerd.apparmor.d@{int} rwl, /tmp/cri-containerd.apparmor.d@{int} rwl,
@ -94,12 +96,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
@{sys}/kernel/security/apparmor/profiles r, @{sys}/kernel/security/apparmor/profiles r,
@{sys}/module/apparmor/parameters/enabled r, @{sys}/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/task/@{tid}/mountinfo r,
@{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/@{pid}/task/@{tid}/ns/net rw,
@{PROC}/sys/net/core/somaxconn r, @{PROC}/sys/net/core/somaxconn r,
owner @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pid}/attr/current r,
owner @{PROC}/@{pids}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pids}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pids}/uid_map r, owner @{PROC}/@{pid}/uid_map r,
/dev/bsg/ r, /dev/bsg/ r,
/dev/bus/ r, /dev/bus/ r,

1
apparmor.d/profiles-a-f/chsh
View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/chsh @{exec_path} = @{bin}/chsh
profile chsh @{exec_path} { profile chsh @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/wutmp> include <abstractions/wutmp>

5
apparmor.d/profiles-s-z/snap
View file

@ -29,6 +29,7 @@ profile snap @{exec_path} {
mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,
#aa:dbus own bus=session name=io.snapcraft.Launcher #aa:dbus own bus=session name=io.snapcraft.Launcher
#aa:dbus own bus=session name=io.snapcraft.SessionAgent
#aa:dbus own bus=session name=io.snapcraft.Settings #aa:dbus own bus=session name=io.snapcraft.Settings
#aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
@ -45,6 +46,7 @@ profile snap @{exec_path} {
@{bin}/gpg{,2} rCx -> gpg, @{bin}/gpg{,2} rCx -> gpg,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{lib_dirs}/** mr,
@{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-confine rPx,
@{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snap-seccomp rPx,
@{lib_dirs}/snapd/snapd rPx, @{lib_dirs}/snapd/snapd rPx,
@ -108,6 +110,9 @@ profile snap @{exec_path} {
network unix stream, network unix stream,
owner @{run}/user/@{uid}/systemd/notify rw,
owner @{run}/user/@{uid}/systemd/private rw,
include if exists <local/snap_systemctl> include if exists <local/snap_systemctl>
} }

6
apparmor.d/profiles-s-z/snap-update-ns
View file

@ -23,11 +23,17 @@ profile snap-update-ns @{exec_path} {
mount -> /tmp/.snap/**, mount -> /tmp/.snap/**,
mount -> /usr/**, mount -> /usr/**,
mount -> /var/lib/dhcp/, mount -> /var/lib/dhcp/,
umount /snap/**, umount /snap/**,
umount /var/lib/dhcp/, umount /var/lib/dhcp/,
umount @{lib}/@{multiarch}/webkit2gtk-@{version}/,
umount /usr/share/xml/iso-codes/,
@{exec_path} mr, @{exec_path} mr,
@{lib}/@{multiarch}/webkit2gtk-@{version}/ w,
/usr/share/xml/iso-codes/ w,
/var/lib/snapd/mount/{,*} r, /var/lib/snapd/mount/{,*} r,
/ r, / r,

1
apparmor.d/profiles-s-z/snapd-apparmor
View file

@ -17,6 +17,7 @@ profile snapd-apparmor @{exec_path} {
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/apparmor_parser rPx, @{bin}/apparmor_parser rPx,
@{lib_dirs}/** mr,
@{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser,
@{lib_dirs}/snapd/info r, @{lib_dirs}/snapd/info r,

1
apparmor.d/profiles-s-z/uuidd
View file

@ -17,6 +17,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) {
owner /var/lib/libuuid/clock.txt rwk, owner /var/lib/libuuid/clock.txt rwk,
@{run}/uuidd/request w,
@{att}/@{run}/uuidd/request w, @{att}/@{run}/uuidd/request w,
include if exists <local/uuidd> include if exists <local/uuidd>