feat(profile): ubuntu: improve integration with ubuntu.

2024-11-14 23:43:56 +01:00 · 2024-09-26 20:34:12 +01:00 · 2024-09-26 20:34:12 +01:00 · 549c6ba2f5
commit 549c6ba2f5
parent 3f13aa77bf
18 changed files with 44 additions and 62 deletions
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@ -59,7 +59,7 @@ profile apt-systemd-daily @{exec_path} {
  /var/backups/ r,
  /var/backups/apt.extended_states rw,
  /var/backups/apt.extended_states.@{int} rw,
-  /var/backups/apt.extended_states.@{int}.gz w,
+  /var/backups/apt.extended_states.@{int}.gz rw,

  /var/cache/apt/ r,
  /var/cache/apt/archives/ r,
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -24,6 +24,7 @@ profile dpkg-preconfigure @{exec_path} {
  @{bin}/{,g,m}awk  rix,
  @{bin}/cat        rix,
  @{bin}/dialog     rix,
+  @{bin}/expr       rix,
  @{bin}/locale     rix,
  @{bin}/sed        rix,
  @{bin}/sort       rix,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -17,14 +17,15 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>

-  unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
-
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

+  # unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
+  unix (send receive connect) type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}),
+
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
--- a/apparmor.d/groups/grub/grub-sort-version
+++ b/apparmor.d/groups/grub/grub-sort-version
@ -10,6 +10,8 @@ include <tunables/global>
 profile grub-sort-version @{exec_path} {
  include <abstractions/base>
  include <abstractions/common/apt>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
  include <abstractions/python>

  capability dac_read_search,
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@ -14,17 +14,10 @@ profile livepatch-notification @{exec_path} {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/wayland>
+  include <abstractions/desktop>

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
-  /usr/share/X11/{,**} r,
-
-  @{run}/user/@{uid}/gdm/Xauthority r,
-
  include if exists <local/livepatch-notification>
 }

--- a/apparmor.d/groups/ubuntu/pro
+++ b/apparmor.d/groups/ubuntu/pro
@ -1,20 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/pro
-profile pro @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/common/apt>
-  include <abstractions/python>
-
-  @{exec_path} mr,
-
-  include if exists <local/pro>
-}
-
-# vim:syntax=apparmor
--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@ -39,9 +39,9 @@ profile software-properties-dbus @{exec_path} {
  /usr/share/distro-info/*.csv r,
  /usr/share/xml/iso-codes/{,**} r,

-  owner @{tmp}/???????? rw,  # unconventional '_' tail
-  owner @{tmp}/tmp????????/ w, # change to 'c'
-  owner @{tmp}/tmp????????/apt.conf w,
+  owner @{tmp}/@{word8} rw,
+  owner @{tmp}/tmp@{word8}/ w, # change to 'c'
+  owner @{tmp}/tmp@{word8}/apt.conf w,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@ -14,15 +14,10 @@ profile ubuntu-advantage-notification @{exec_path} {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/wayland>
+  include <abstractions/desktop>

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
-
  include if exists <local/ubuntu-advantage-notification>
 }

--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -9,7 +9,6 @@ include <tunables/global>
@{exec_path} = @{bin}/update-manager
 profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/common/apt>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
@ -20,6 +19,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/common/apt>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -72,8 +72,15 @@ profile update-notifier @{exec_path} {
    include <abstractions/base>
    include <abstractions/app/pkexec>

+    capability sys_ptrace,
+
+    ptrace read peer=update-notifier,
+
    @{lib}/update-notifier/package-system-locked Px,

+    @{PROC}/@{pid}/fdinfo/@{int} r,
+    @{PROC}/@{pid}/stat r,
+
    include if exists <local/update-notifier_pkexec>
  }

--- a/apparmor.d/profiles-a-f/fstrim
+++ b/apparmor.d/profiles-a-f/fstrim
@ -23,6 +23,7 @@ profile fstrim @{exec_path} {
  @{MOUNTS}/ r,
  / r,
  /boot/ r,
+  /boot/efi/ r,
  /var/ r,

  include if exists <local/fstrim>
--- a/apparmor.d/profiles-g-l/gtk-query-immodules
+++ b/apparmor.d/profiles-g-l/gtk-query-immodules
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0
 profile gtk-query-immodules @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability dac_override,
  capability dac_read_search,
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -50,19 +50,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
  @{bin}/squid                             rPUx,

  @{bin}/pgrep rCx -> pgrep,
-
-  # no new privs
-  #@{bin}/systemctl              rCx -> systemctl,
-  @{bin}/systemctl rix,
-  @{bin}/runlevel rix,
-  include <abstractions/wutmp>
-  ptrace (read),
-  capability sys_ptrace,
-  owner @{PROC}/@{pid}/stat r,
-        @{PROC}/1/environ r,
-        @{PROC}/1/sched r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/osrelease r,
+  @{bin}/systemctl rCx -> systemctl,

  /etc/ r,
  @{etc_ro}/logrotate.conf rk,
@ -92,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
    capability net_admin,
    capability sys_ptrace,

+    @{run}/utmp rk,
+
    include if exists <local/logrotate_systemctl>
  }

--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@ -81,18 +81,22 @@ profile mkinitramfs @{exec_path} {
  /etc/modprobe.d/{,*.conf} r,

        /boot/ r,
-  owner /boot/initrd.img-*.new rw,
  owner /boot/config-* r,
+  owner /boot/initrd.img-*.new rw,

        /var/tmp/ r,
+        /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
  owner /var/tmp/mkinitramfs_*/ rw,
  owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**,
-        /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
  owner /var/tmp/mkinitramfs-* rw,

-  owner @{PROC}/@{pid}/fd/ r,
+  @{sys}/devices/platform/ r,
+  @{sys}/devices/platform/reg-dummy/{,**}/ r,
+  @{sys}/module/compression r,
+
        @{PROC}/cmdline r,
        @{PROC}/modules r,
+  owner @{PROC}/@{pid}/fd/ r,

  profile ldd {
    include <abstractions/base>
--- a/apparmor.d/profiles-s-z/setvtrgb
+++ b/apparmor.d/profiles-s-z/setvtrgb
@ -15,6 +15,8 @@ profile setvtrgb @{exec_path} {

  @{exec_path} mr,

+  /etc/console-setup/vtrgb r,
+
  /dev/tty@{int} rw,

  include if exists <local/setvtrgb>
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -104,7 +104,10 @@ profile snap @{exec_path} {
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>
-  
+    include <abstractions/bus/org.freedesktop.systemd1>
+
+    network unix stream,
+
    include if exists <local/snap_systemctl>
  }

--- a/apparmor.d/profiles-s-z/snap-seccomp
+++ b/apparmor.d/profiles-s-z/snap-seccomp
@ -18,6 +18,8 @@ profile snap-seccomp @{exec_path} {

  @{exec_path} mr,

+  @{lib_dirs}/**.so* mr,
+
  /var/lib/snapd/seccomp/bpf/{,**} rw,

  owner @{PROC}/@{pids}/mountinfo r,
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@ -37,10 +37,10 @@ profile ufw @{exec_path} {

    owner @{run}/ufw.lock rwk,

-    owner /var/tmp/???????? rw,
-    owner /var/tmp/tmp???????? rw,
-    owner @{tmp}/???????? rw,
-    owner @{tmp}/tmp???????? rw,
+    owner @{tmp}/@{word8} rw,
+    owner @{tmp}/tmp@{word8} rw,
+    owner /var/tmp/@{word8} rw,
+    owner /var/tmp/tmp@{word8} rw,

    @{PROC}/@{pid}/fd/ r,
    @{PROC}/@{pid}/net/ip_tables_names r,