fix(profile): multiple minor fixes.

fix #493 #480
2024-11-14 23:43:56 +01:00 · 2024-09-17 12:55:08 +01:00 · 2024-09-17 12:55:08 +01:00 · 516a1fd36d
commit 516a1fd36d
parent 7858cae330
9 changed files with 24 additions and 2 deletions
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@ -37,6 +37,8 @@ profile child-pager {
  owner @{user_state_dirs}/ r,
  owner @{user_state_dirs}/lesshs* rw,

+  /dev/tty@{int} rw,
+
  include if exists <local/child-pager>
 }

--- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
+++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
@ -30,7 +30,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
  /etc/pacman.conf r,
  /etc/pacman.d/*-mirrorlist r,
  /etc/pacman.d/gnupg/ rw,
-  /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**,
+  /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**,
  /etc/pacman.d/mirrorlist r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/systemd/systemd-generator-user-environment
+++ b/apparmor.d/groups/systemd/systemd-generator-user-environment
@ -12,6 +12,8 @@ profile systemd-generator-user-environment @{exec_path} {
  include <abstractions/common/systemd>
  include <abstractions/nameservice-strict>

+  capability net_admin,
+
  @{exec_path} mr,

  @{sh_path}         rix,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/+acpi:*      r,
  @{run}/udev/data/+bluetooth:* r,
  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+ieee80211:* r,
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+mdio_bus:* r,
  @{run}/udev/data/+pci:*       r,
--- a/apparmor.d/profiles-a-f/auditd
+++ b/apparmor.d/profiles-a-f/auditd
@ -31,6 +31,7 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
  owner @{run}/auditd.pid rwl,
  owner @{run}/auditd.state rw,

+        @{PROC}/@{pid}/ r,
  owner @{PROC}/@{pid}/attr/current r,
  owner @{PROC}/@{pid}/loginuid r,
  owner @{PROC}/@{pid}/oom_score_adj rw,
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@ -54,13 +54,15 @@ profile login @{exec_path} flags=(attach_disconnected) {
  /etc/security/pam_env.conf r,
  /etc/shells r,

+  /var/lib/faillock/@{user} rwk,
  /var/log/btmp{,.@{int}} r,

  owner @{user_cache_dirs}/motd.legal-displayed rw,

-  @{run}/motd.d/{,*} r,
+  @{run}/credentials/getty@tty@{int}.service/ r,
  @{run}/dbus/system_bus_socket rw,
  @{run}/faillock/@{user} rwk,
+  @{run}/motd.d/{,*} r,
  @{run}/motd.dynamic{,.new} rw,
  @{run}/systemd/sessions/*.ref rw,

--- a/apparmor.d/profiles-m-r/nft
+++ b/apparmor.d/profiles-m-r/nft
@ -20,6 +20,8 @@ profile nft @{exec_path} {

  @{exec_path} mr,

+  /usr/share/iproute2/{,**} r,
+
  /etc/iproute2/** r,
  /etc/nftables.conf r,
  /etc/nftables/{,**} r,
--- a/apparmor.d/profiles-m-r/pidof
+++ b/apparmor.d/profiles-m-r/pidof
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/pidof
 profile pidof @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability sys_ptrace,

--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@ -22,6 +22,7 @@ profile resolvconf @{exec_path} {
  @{bin}/rm          rix,
  @{bin}/run-parts   rix,
  @{bin}/sed         rix,
+  @{bin}/systemctl   rCx -> systemctl,
  @{lib}/resolvconf/list-records rix,

  /usr/lib/resolvconf/{,**} r,
@ -35,6 +36,16 @@ profile resolvconf @{exec_path} {

  /dev/tty rw,

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    include if exists <local/resolvconf_systemctl>
+  }
+  
  include if exists <local/resolvconf>
 }