From 4a76a696322db61fea2032aa3c262b698fec3cd3 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Sat, 28 May 2022 00:47:21 +0300 Subject: [PATCH] polishing --- apparmor.d/groups/bus/dbus-daemon | 12 ++++--- apparmor.d/groups/systemd/systemd-logind | 30 ++++++++--------- .../systemd/systemd-tty-ask-password-agent | 5 +++ apparmor.d/profiles-a-f/agetty | 6 +++- apparmor.d/profiles-g-l/login | 32 +++++++++++++++++-- apparmor.d/profiles-g-l/logrotate | 6 ++-- 6 files changed, 64 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon index 27afafef..2069e71c 100644 --- a/apparmor.d/groups/bus/dbus-daemon +++ b/apparmor.d/groups/bus/dbus-daemon @@ -38,11 +38,14 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{libexec}/* rPUx, - /{usr/,}lib/ibus/ibus-* rPx, /{usr/,}bin/ r, - /{usr/,}bin/[a-z0-9]* rPUx, + @{libexec}/* rPUx, + /{usr/,}lib/ibus/ibus-* rPx, + /{usr/,}bin/[a-z0-9]* rPUx, /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, + # Xubuntu + /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx, + /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx, /etc/dbus-1/{,**} r, @@ -71,7 +74,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/dbus-1/services/ rw, @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/users/@{uid} r, @{sys}/kernel/security/apparmor/.access rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 3eac7118..90850476 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -65,12 +65,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat[0-9]* rw, - @{run}/systemd/sessions/ rw, - @{run}/systemd/sessions/* r, - @{run}/systemd/sessions/.#* rw, + @{run}/systemd/sessions/{,*} rw, @{run}/systemd/sessions/*.ref rw, @{run}/systemd/userdb/ r, @{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/users/ rw, @{run}/systemd/users/.#* rw, @{run}/systemd/users/@{uid} rw, @@ -111,31 +110,28 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { # DBus # all members for login-related, specific for others dbus send - bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), dbus (send, receive) bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), dbus (send, receive) - bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.Manager" peer=(name="{org.freedesktop.DBus,:*}"), + bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), dbus (send, receive) - bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.login1.Session" peer=(name="{org.freedesktop.DBus,:*}"), + bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.*" peer=(name="{org.freedesktop.DBus,:*}"), dbus receive - bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"), + bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"), - dbus (send, receive) - bus="system" path="/org/freedesktop/login1/*" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), + dbus receive + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), dbus send - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"), + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"), dbus receive - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"), - - dbus receive - bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"), dbus send bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), @@ -144,13 +140,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) { bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), dbus send - bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"), + bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"), dbus send - bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), + bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), dbus receive - bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), + bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), dbus send bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"), diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index cc7a27e6..58bebab9 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -11,6 +11,8 @@ profile systemd-tty-ask-password-agent @{exec_path} { include include +# capability net_admin, + signal (receive) set=(term cont) peer=logrotate, @{exec_path} mr, @@ -19,6 +21,9 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{run}/systemd/ask-password/ r, @{PROC}/@{pids}/stat r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/cmdline r, + @{PROC}/1/environ r, include if exists } diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 969fadb1..8f615b7d 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -21,7 +21,11 @@ profile agetty @{exec_path} { /{usr/,}bin/login rPx, - /etc/issue r, + /{etc,run,lib,usr/lib}/issue r, + /{etc,run,lib,usr/lib}/issue.d/{,*} r, + /{,usr/}lib/os-release r, + /etc/inittab r, + /etc/os-release r, owner @{run}/agetty.reload rw, @{run}/resolvconf/resolv.conf r, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 36bae0f8..83e984ce 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -18,20 +18,46 @@ profile login @{exec_path} { capability fsetid, capability setgid, capability setuid, + capability sys_resource, + capability audit_write, + capability dac_read_search, +# capability net_admin, + +# network netlink raw, @{exec_path} mr, /{usr/,}bin/{,z,ba,da}sh rUx, /etc/environment r, + /etc/motd r, + /etc/legal r, + /etc/default/locale r, + /etc/security/pam_env.conf r, + /etc/security/group.conf r, + /etc/security/limits.conf r, + /etc/security/limits.d/{,*} r, /var/log/btmp{,.[0-9]*} r, @{run}/faillock/root rwk, @{run}/systemd/userdb/ r, + @{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/dbus/system_bus_socket rw, + @{run}/motd.dynamic{,.new} rw, + @{run}/systemd/sessions/*.ref rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/uid_map r, + owner @{PROC}/@{pid}/loginuid rw, + @{PROC}/1/limits r, + + owner @{user_cache_dirs}/motd.legal-displayed rw, + + dbus send + bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" peer=(name="org.freedesktop.DBus"), + + dbus send + bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.*" peer=(name="org.freedesktop.login1"), include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index d4a880c5..f2fb65f4 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -31,6 +31,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, + /{usr/,}bin/grep rix, /{usr/,}bin/kill rix, /{usr/,}bin/ls rix, /{usr/,}bin/gzip rix, @@ -39,6 +40,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /{usr/,}lib/rsyslog/rsyslog-rotate rix, /{usr/,}bin/fail2ban-client rPx, /{usr/,}bin/systemd-tty-ask-password-agent rPx, + /{usr/,}bin/my_print_defaults rPUx, # no new privs #/{usr/,}bin/systemctl rCx -> systemctl, @@ -65,8 +67,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) { /var/lib/logrotate.status rwk, /var/lib/logrotate.status.tmp rw, - /var/log/ r, - /var/log/** rw, + /var/log{,.hdd}/ r, + /var/log{,.hdd}/** rw, # Needed to remove the following error: # logrotate[]: error: could not change directory to '.'