From 5c1a1f6f8ee984ee52cc48d9ceb80d83830d1032 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Fri, 24 Dec 2021 00:00:41 +0000 Subject: [PATCH 1/5] Update acpid --- apparmor.d/profiles-a-f/acpid | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index dfb18ca5..e935d98c 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/acpid +@{exec_path} = /{usr/,}{,s}bin/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include @@ -22,15 +22,34 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, + /etc/acpi/powerbtn-acpi-support.sh rix, /dev/input/{,**} r, /dev/tty rw, - /dev/null r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, - @{run}/acpid.socket rw, + owner @{run}/acpid.socket rw, + owner @{run}/acpid.pid rw, + + /usr/share/acpi-support/** r, + + # powerbtn-acpi-support.sh + /{usr/,}bin/sed rix, + + /{usr/,}bin/ps rPx, + + /{usr/,}bin/fgconsole rCx, + profile fgconsole /usr/bin/fgconsole { + /{usr/,}bin/fgconsole r, + include + + capability sys_tty_config, + + /dev/tty rw, + owner /dev/tty[0-9]* rw, + } include if exists } From 80bd1028c52f7013fc6a77ec0f5180068033fd7c Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 10 Jan 2022 21:29:53 +0000 Subject: [PATCH 2/5] Update acpid Another case. Tested on Debian 11 and Ubuntu LTS. --- apparmor.d/profiles-a-f/acpid | 42 ++++++++++++++++++++++++++++++----- 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index e935d98c..85ce02b6 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -22,7 +22,6 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, - /etc/acpi/powerbtn-acpi-support.sh rix, /dev/input/{,**} r, /dev/tty rw, @@ -33,12 +32,43 @@ profile acpid @{exec_path} flags=(attach_disconnected) { owner @{run}/acpid.socket rw, owner @{run}/acpid.pid rw, + /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh, + + include if exists +} + +profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { + /etc/acpi/powerbtn-acpi-support.sh r, + include + include + + capability sys_ptrace, + deny capability net_admin, # ?? + + ptrace (read), # unconfined, tighten later, TODO + + deny / r, + + @{PROC} r, + @{PROC}/uptime r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + /usr/share/acpi-support/** r, + + /{usr/,}bin/sed rix, + /{usr/,}bin/pgrep rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/pinky rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/dbus-send rix, + /{usr/,}bin/systemctl rix, + /{usr/,}sbin/killall5 rix, + /{usr/,}sbin/shutdown rix, + /etc/acpi/powerbtn.sh rix, - # powerbtn-acpi-support.sh - /{usr/,}bin/sed rix, - - /{usr/,}bin/ps rPx, + /{usr/,}bin/ps rPx, /{usr/,}bin/fgconsole rCx, profile fgconsole /usr/bin/fgconsole { @@ -51,5 +81,5 @@ profile acpid @{exec_path} flags=(attach_disconnected) { owner /dev/tty[0-9]* rw, } - include if exists + include if exists } From 0cb633ecec54c3f8a0822037f27b408401d54c8c Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 15 Jan 2022 23:45:52 +0000 Subject: [PATCH 3/5] Update acpid --- apparmor.d/profiles-a-f/acpid | 42 ++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 85ce02b6..89af52d3 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{,s}bin/acpid +@{exec_path} = /{usr/,}{s,}bin/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include @@ -20,25 +20,24 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/logger rix, + /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh, + /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, - /dev/input/{,**} r, - /dev/tty rw, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid r, - owner @{run}/acpid.socket rw, owner @{run}/acpid.pid rw, - /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh, + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/loginuid r, + + /dev/input/{,**} r, + /dev/tty rw, include if exists } profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { - /etc/acpi/powerbtn-acpi-support.sh r, include include @@ -47,16 +46,8 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { ptrace (read), # unconfined, tighten later, TODO - deny / r, + /etc/acpi/powerbtn-acpi-support.sh r, - @{PROC} r, - @{PROC}/uptime r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - - /usr/share/acpi-support/** r, - /{usr/,}bin/sed rix, /{usr/,}bin/pgrep rix, /{usr/,}bin/{,e}grep rix, @@ -72,14 +63,25 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { /{usr/,}bin/fgconsole rCx, profile fgconsole /usr/bin/fgconsole { - /{usr/,}bin/fgconsole r, include capability sys_tty_config, + /{usr/,}bin/fgconsole r, + /dev/tty rw, owner /dev/tty[0-9]* rw, } - include if exists + /usr/share/acpi-support/** r, + + deny / r, + + @{PROC} r, + @{PROC}/uptime r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, + + include if exists } From 70d50632bb6b9b6c473126097a349de9ec591627 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 16 Jan 2022 22:28:45 +0000 Subject: [PATCH 4/5] Update acpid --- apparmor.d/profiles-a-f/acpid | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 89af52d3..c789bed4 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -50,15 +50,15 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { /{usr/,}bin/sed rix, /{usr/,}bin/pgrep rix, - /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/{e,}grep rix, /{usr/,}bin/pinky rix, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/dbus-send rix, - /{usr/,}bin/systemctl rix, - /{usr/,}sbin/killall5 rix, - /{usr/,}sbin/shutdown rix, + /{usr/,}{s,}bin/killall5 rix, + /{usr/,}{s,}bin/shutdown rix, /etc/acpi/powerbtn.sh rix, + /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/ps rPx, /{usr/,}bin/fgconsole rCx, From ec9a4d3a6c7df3e5a119b2536fe1db136974af90 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sun, 16 Jan 2022 23:31:45 +0000 Subject: [PATCH 5/5] Update acpid --- apparmor.d/profiles-a-f/acpid | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index c789bed4..3b37a15f 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -17,7 +17,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/logger rix, /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh, @@ -39,12 +39,6 @@ profile acpid @{exec_path} flags=(attach_disconnected) { profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { include - include - - capability sys_ptrace, - deny capability net_admin, # ?? - - ptrace (read), # unconfined, tighten later, TODO /etc/acpi/powerbtn-acpi-support.sh r, @@ -68,7 +62,7 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { capability sys_tty_config, /{usr/,}bin/fgconsole r, - + /dev/tty rw, owner /dev/tty[0-9]* rw, } @@ -79,8 +73,6 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { @{PROC} r, @{PROC}/uptime r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/cmdline r, include if exists