mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 07:54:17 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

polishing

Browse Source
This commit is contained in:
nobodysu 2022-05-28 00:47:21 +03:00 committed by Alex
parent 9dab6b9794
commit 4a76a69632
6 changed files with 64 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apparmor.d/groups/bus/dbus-daemon
View File

@ -38,11 +38,14 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{libexec}/* rPUx,
/{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}bin/ r, /{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rPUx, @{libexec}/* rPUx,
/{usr/,}lib/ibus/ibus-* rPx,
/{usr/,}bin/[a-z0-9]* rPUx,
/{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx, /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
# Xubuntu
/{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd rPUx,
/{usr/,}lib/@{multiarch}/tumbler-1/tumblerd rPUx,
/etc/dbus-1/{,**} r, /etc/dbus-1/{,**} r,
@ -71,7 +74,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/dbus-1/services/ rw, owner @{run}/user/@{uid}/dbus-1/services/ rw,
@{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/systemd/inhibit/[0-9]*.ref rw,
@{run}/systemd/sessions/*.ref rw, @{run}/systemd/sessions/*.ref rw,
@{run}/systemd/userdb/io.systemd.DynamicUser w, @{run}/systemd/userdb/io.systemd.DynamicUser w,
@{run}/systemd/userdb/io.systemd.Machine rw,
@{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{uid} r,
@{sys}/kernel/security/apparmor/.access rw, @{sys}/kernel/security/apparmor/.access rw,

30
apparmor.d/groups/systemd/systemd-logind
View File

@ -65,12 +65,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
@{run}/systemd/seats/ rw, @{run}/systemd/seats/ rw,
@{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/.#seat* rw,
@{run}/systemd/seats/seat[0-9]* rw, @{run}/systemd/seats/seat[0-9]* rw,
@{run}/systemd/sessions/ rw, @{run}/systemd/sessions/{,*} rw,
@{run}/systemd/sessions/* r,
@{run}/systemd/sessions/.#* rw,
@{run}/systemd/sessions/*.ref rw, @{run}/systemd/sessions/*.ref rw,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{run}/systemd/userdb/io.systemd.DynamicUser rw,
@{run}/systemd/userdb/io.systemd.Machine rw,
@{run}/systemd/users/ rw, @{run}/systemd/users/ rw,
@{run}/systemd/users/.#* rw, @{run}/systemd/users/.#* rw,
@{run}/systemd/users/@{uid} rw, @{run}/systemd/users/@{uid} rw,
@ -111,31 +110,28 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
# DBus # DBus
# all members for login-related, specific for others # all members for login-related, specific for others
dbus send dbus send
bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"), bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials,RequestName}" peer=(name="org.freedesktop.DBus"),
dbus (send, receive) dbus (send, receive)
bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"),
dbus (send, receive) dbus (send, receive)
bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.Manager" peer=(name="{org.freedesktop.DBus,:*}"), bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"),
dbus (send, receive) dbus (send, receive)
bus="system" path="/org/freedesktop/login1/**" interface="org.freedesktop.login1.Session" peer=(name="{org.freedesktop.DBus,:*}"), bus="system" path="/org/freedesktop/login1{,/**}" interface="org.freedesktop.login1.*" peer=(name="{org.freedesktop.DBus,:*}"),
dbus receive dbus receive
bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"), bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name=":*"),
dbus (send, receive) dbus receive
bus="system" path="/org/freedesktop/login1/*" interface="org.freedesktop.DBus.Properties" peer=(name="{org.freedesktop.DBus,:*}"), bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
dbus send dbus send
bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"), bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{Subscribe,StartUnit,StartTransientUnit,StopUnit}" peer=(name="org.freedesktop.systemd1"),
dbus receive dbus receive
bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"), bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="{UnitRemoved,UnitRemoved,JobRemoved,Reloading}" peer=(name=":*"),
dbus receive
bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
dbus send dbus send
bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"),
@ -144,13 +140,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
dbus send dbus send
bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"), bus="system" path="/org/freedesktop/systemd1/unit/**" interface="org.freedesktop.systemd1.Scope" member="Abandon" peer=(name="org.freedesktop.systemd1"),
dbus send dbus send
bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"), bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.freedesktop.systemd1"),
dbus receive dbus receive
bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"), bus="system" path="/org/freedesktop/systemd1/job/**" interface="org.freedesktop.DBus.Properties" member="PropertiesChanged" peer=(name=":*"),
dbus send dbus send
bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"), bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" peer=(name="org.freedesktop.PolicyKit1"),

5
apparmor.d/groups/systemd/systemd-tty-ask-password-agent
View File

@ -11,6 +11,8 @@ profile systemd-tty-ask-password-agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
# capability net_admin,
signal (receive) set=(term cont) peer=logrotate, signal (receive) set=(term cont) peer=logrotate,
@{exec_path} mr, @{exec_path} mr,
@ -19,6 +21,9 @@ profile systemd-tty-ask-password-agent @{exec_path} {
@{run}/systemd/ask-password/ r, @{run}/systemd/ask-password/ r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/sys/kernel/osrelease r,
@{PROC}/cmdline r,
@{PROC}/1/environ r,
include if exists <local/systemd-tty-ask-password-agent> include if exists <local/systemd-tty-ask-password-agent>
} }

6
apparmor.d/profiles-a-f/agetty
View File

@ -21,7 +21,11 @@ profile agetty @{exec_path} {
/{usr/,}bin/login rPx, /{usr/,}bin/login rPx,
/etc/issue r, /{etc,run,lib,usr/lib}/issue r,
/{etc,run,lib,usr/lib}/issue.d/{,*} r,
/{,usr/}lib/os-release r,
/etc/inittab r,
/etc/os-release r,
owner @{run}/agetty.reload rw, owner @{run}/agetty.reload rw,
@{run}/resolvconf/resolv.conf r, @{run}/resolvconf/resolv.conf r,

30
apparmor.d/profiles-g-l/login
View File

@ -18,20 +18,46 @@ profile login @{exec_path} {
capability fsetid, capability fsetid,
capability setgid, capability setgid,
capability setuid, capability setuid,
capability sys_resource,
capability audit_write,
capability dac_read_search,
# capability net_admin,
# network netlink raw,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/{,z,ba,da}sh rUx, /{usr/,}bin/{,z,ba,da}sh rUx,
/etc/environment r, /etc/environment r,
/etc/motd r,
/etc/legal r,
/etc/default/locale r,
/etc/security/pam_env.conf r,
/etc/security/group.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/{,*} r,
/var/log/btmp{,.[0-9]*} r, /var/log/btmp{,.[0-9]*} r,
@{run}/faillock/root rwk, @{run}/faillock/root rwk,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,
@{run}/systemd/userdb/io.systemd.DynamicUser rw,
@{run}/dbus/system_bus_socket rw,
@{run}/motd.dynamic{,.new} rw,
@{run}/systemd/sessions/*.ref rw,
@{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r,
@{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw,
@{PROC}/1/limits r,
owner @{user_cache_dirs}/motd.legal-displayed rw,
dbus send
bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" peer=(name="org.freedesktop.DBus"),
dbus send
bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.*" peer=(name="org.freedesktop.login1"),
include if exists <local/login> include if exists <local/login>
} }

6
apparmor.d/profiles-g-l/logrotate
View File

@ -31,6 +31,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix, /{usr/,}bin/cat rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/kill rix, /{usr/,}bin/kill rix,
/{usr/,}bin/ls rix, /{usr/,}bin/ls rix,
/{usr/,}bin/gzip rix, /{usr/,}bin/gzip rix,
@ -39,6 +40,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
/{usr/,}lib/rsyslog/rsyslog-rotate rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix,
/{usr/,}bin/fail2ban-client rPx, /{usr/,}bin/fail2ban-client rPx,
/{usr/,}bin/systemd-tty-ask-password-agent rPx, /{usr/,}bin/systemd-tty-ask-password-agent rPx,
/{usr/,}bin/my_print_defaults rPUx,
# no new privs # no new privs
#/{usr/,}bin/systemctl rCx -> systemctl, #/{usr/,}bin/systemctl rCx -> systemctl,
@ -65,8 +67,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
/var/lib/logrotate.status rwk, /var/lib/logrotate.status rwk,
/var/lib/logrotate.status.tmp rw, /var/lib/logrotate.status.tmp rw,
/var/log/ r, /var/log{,.hdd}/ r,
/var/log/** rw, /var/log{,.hdd}/** rw,
# Needed to remove the following error: # Needed to remove the following error:
# logrotate[]: error: could not change directory to '.' # logrotate[]: error: could not change directory to '.'