From 465a31c638f1fd766c5500f85370a409eb7919f6 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Sat, 23 Jul 2022 13:22:56 +0200 Subject: [PATCH] General updates --- apparmor.d/groups/apt/unattended-upgrade | 9 +++++ apparmor.d/groups/freedesktop/pulseaudio | 43 ++++++++++++++++++++++++ apparmor.d/groups/systemd/systemd-logind | 5 +++ apparmor.d/profiles-m-r/mount | 3 ++ apparmor.d/profiles-m-r/newgidmap | 2 ++ apparmor.d/profiles-m-r/newuidmap | 2 ++ apparmor.d/profiles-m-r/rngd | 3 +- apparmor.d/profiles-s-z/smartd | 4 +++ apparmor.d/profiles-s-z/thermald | 10 ++++-- 9 files changed, 78 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 1961f712..b3ac117d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -30,6 +31,14 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.PackageKit + member=StateHasChanged, + + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager member=Inhibit, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index d3788695..5509e1d1 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,6 +34,20 @@ profile pulseaudio @{exec_path} { network bluetooth stream, network bluetooth seqpacket, + dbus (send) + bus=session + path=/Client0/EntryGroup[0-9]* + interface=org.freedesktop.Avahi.EntryGroup + member={GetState,AddService,AddServiceSubtype,Commit} + peer=(name=org.freedesktop.Avahi), + + dbus (receive) + bus=session + path=/Client0/EntryGroup[0-9]* + interface=org.freedesktop.Avahi.EntryGroup + member={StateChanged} + peer=(name=org.freedesktop.Avahi), + dbus (send) bus=session path=/org/freedesktop/DBus @@ -83,6 +98,34 @@ profile pulseaudio @{exec_path} { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.Avahi.Server + member={GetAPIVersion,GetState,EntryGroupNew} + peer=(name=org.freedesktop.Avahi), + + dbus (receive) + bus=system + path=/ + interface=org.freedesktop.Avahi.Server + member={StateChanged} + peer=(name=org.freedesktop.Avahi), + + dbus (send) + bus=system + path=/ + interface=org.freedesktop.hostname[0-9]* + member={Get} + peer=(name=/org/freedesktop/hostname1[0-9]*, @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index b114eda3..de48f1c7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -51,6 +52,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.DBus.Properties member=PropertiesChanged, + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Properties + member=Get, + dbus bind bus=system name=org.freedesktop.login[0-9], diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index 9bb767dc..7432f00a 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -26,6 +27,8 @@ profile mount @{exec_path} flags=(complain) { network inet stream, network inet6 stream, + ptrace (read) peer=k3s, + signal (receive) set=(term, kill), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap index 2da77d9b..d769bfcc 100644 --- a/apparmor.d/profiles-m-r/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +12,7 @@ profile newgidmap @{exec_path} { include include + capability dac_override, capability setgid, capability sys_admin, diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap index 88af9bb6..3ec9d09e 100644 --- a/apparmor.d/profiles-m-r/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +12,7 @@ profile newuidmap @{exec_path} { include include + capability dac_override, capability setuid, capability sys_admin, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 163d2a20..2cd837cd 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}bin/rngd +@{exec_path} = /{usr/,}{s,}bin/rngd profile rngd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index a99796c9..ac1aeb0d 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,6 +18,7 @@ profile smartd @{exec_path} { # Unable to register SCSI device /dev/disk/by-id/ata-* at line * of file /etc/smartd.conf # Device: /dev/disk/by-id/ata-*, not available capability sys_rawio, + capability sys_admin, # Needed? deny capability net_admin, @@ -39,5 +41,7 @@ profile smartd @{exec_path} { /dev/ r, @{PROC}/devices r, + /run/systemd/notify rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index a4ed8017..5bf27dac 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2015-2020 Mikhail Morfikov +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,14 @@ include @{exec_path} = /{usr/,}sbin/thermald profile thermald @{exec_path} { include + include capability sys_boot, + dbus (bind) + bus=system + name=org.freedesktop.thermald, + @{exec_path} mr, owner @{run}/thermald/ rw, @@ -50,11 +56,11 @@ profile thermald @{exec_path} { @{sys}/devices/virtual/powercap/intel-rapl/ r, @{sys}/devices/virtual/powercap/intel-rapl/**/name r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/ r, - @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/* r, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/{,*} r, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w, @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w, + @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r, include if exists }