From 558cb68f23042c4dc338be3323fcac39d2bb8fee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 7 Mar 2023 17:57:57 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/abstractions/apt-common | 1 + apparmor.d/groups/apt/command-not-found | 2 + apparmor.d/groups/network/networkd-dispatcher | 2 +- apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/systemd/systemd-networkd | 11 +- apparmor.d/groups/systemd/systemd-remount-fs | 11 ++ apparmor.d/groups/systemd/systemd-sysctl | 1 + apparmor.d/groups/systemd/systemd-sysusers | 4 + apparmor.d/groups/ubuntu/release-upgrade-motd | 2 + .../groups/ubuntu/update-motd-fsck-at-reboot | 4 + .../ubuntu/update-motd-updates-available | 1 + apparmor.d/profiles-a-f/aa-log | 2 + apparmor.d/profiles-a-f/dumpe2fs | 2 + apparmor.d/profiles-a-f/e2fsck | 1 + apparmor.d/profiles-a-f/fail2ban-server | 10 +- apparmor.d/profiles-g-l/gparted | 9 +- apparmor.d/profiles-g-l/gpartedbin | 186 +++++------------- apparmor.d/profiles-g-l/ip | 2 + apparmor.d/profiles-g-l/login | 4 +- apparmor.d/profiles-g-l/lsblk | 4 + apparmor.d/profiles-g-l/lvm | 5 +- apparmor.d/profiles-m-r/nologin | 4 + apparmor.d/profiles-m-r/pkttyagent | 5 +- apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/profiles-m-r/run-parts | 4 +- apparmor.d/profiles-s-z/snap | 19 ++ apparmor.d/profiles-s-z/snapd | 6 + 27 files changed, 155 insertions(+), 150 deletions(-) diff --git a/apparmor.d/abstractions/apt-common b/apparmor.d/abstractions/apt-common index f12ce738..3207391d 100644 --- a/apparmor.d/abstractions/apt-common +++ b/apparmor.d/abstractions/apt-common @@ -24,6 +24,7 @@ /usr/share/dpkg/tupletable r, /var/lib/dpkg/status r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, owner /tmp/clearsigned.message.* rw, owner /tmp/#[0-9]*[0-9] rw, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 27a870fd..8994edbc 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -29,6 +29,8 @@ profile command-not-found @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + /dev/tty[0-9]* rw, + # Silencer deny /usr/lib/ r, diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 0511d290..3f03b7d4 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -14,7 +14,7 @@ profile networkd-dispatcher @{exec_path} { include include - dbus receive bus=system path=/org/freedesktop/network1/link/* + dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=:*), diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index a111edf8..40682e31 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -51,6 +51,7 @@ profile systemd-journald @{exec_path} { @{run}/udev/data/c4:[0-9]* r, # For TTY devices @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features @{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters + @{run}/udev/data/c29:[0-9]* r, # For CD-ROM @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254 @{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c25[0-4]:[0-9]* r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 962cc18f..cf5f74da 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -30,7 +30,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { member=RequestName peer=(name=org.freedesktop.DBus), - dbus send bus=system path=/org/freedesktop/hostname[0-9] + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname peer=(name=org.freedesktop.hostname1), @@ -39,7 +39,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { interface=org.freedesktop.DBus.Properties member=Get, - dbus send bus=system path=/org/freedesktop/network[0-9]/link/* + dbus send bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=org.freedesktop.DBus), @@ -63,10 +63,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/notify rw, owner @{run}/systemd/netif/.#state rw, owner @{run}/systemd/netif/.#state* rw, - owner @{run}/systemd/netif/leases/.#* rw, - owner @{run}/systemd/netif/leases/[0-9]* rw, - owner @{run}/systemd/netif/links/.#* rw, - owner @{run}/systemd/netif/links/[0-9]* rw, + owner @{run}/systemd/netif/leases/{,*} rw, + owner @{run}/systemd/netif/links/{,*} rw, + owner @{run}/systemd/netif/lldp/ rw, owner @{run}/systemd/netif/state rw, @{run}/udev/data/n[0-9]* r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 8f13fe93..af074104 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -9,14 +9,25 @@ include @{exec_path} = /{usr/,}lib/systemd/systemd-remount-fs profile systemd-remount-fs @{exec_path} { include + include include + capability net_admin, + capability sys_admin, + capability sys_resource, + + mount options=(rw, remount) -> /, + mount options=(rw, remount) -> /proc/, + @{exec_path} mr, + /{usr/,}bin/mount rix, + /etc/fstab r, @{run}/host/container-manager r, + @{PROC}/ r, @{PROC}/1/cmdline r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 84c91239..8947d180 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -15,6 +15,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_admin, capability sys_ptrace, + capability sys_rawio, # capability sys_resource, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 9e53b097..c8baa835 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -11,6 +11,10 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { include include + capability chown, + capability fsetid, + capability net_admin, + @{exec_path} mr, # Config file locations diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index 6a113965..33043a49 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -22,5 +22,7 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 5339e99f..42b55601 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -27,6 +27,8 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{PROC}/uptime r, + /dev/tty[0-9]* rw, + profile mount { include @@ -41,6 +43,8 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{PROC}/@{pid}/mountinfo r, + /dev/tty[0-9]* rw, + } include if exists diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 83cc1273..cb762049 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -39,6 +39,7 @@ profile update-motd-updates-available @{exec_path} { /etc/machine-id r, /var/lib/update-notifier/{,*} rw, + /var/lib/ubuntu-advantage/apt-esm/var/cache/apt/pkgcache.bin* rw, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 8ecaffc2..a223f2dd 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -28,5 +28,7 @@ profile aa-log @{exec_path} { @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/cap_last_cap r, + /dev/tty[0-9]* rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index 15e46710..e6a4c247 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -21,5 +21,7 @@ profile dumpe2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-*} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index c9c50490..18b99af8 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -28,6 +28,7 @@ profile e2fsck @{exec_path} { owner @{user_img_dirs}/{,**} rwk, @{run}/blkid/ rw, + @{run}/systemd/fsck.progress rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, owner @{run}/blkid/blkid.tab{,-*} rw, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index f8f7f45e..11369a9a 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -10,8 +10,14 @@ include profile fail2ban-server @{exec_path} flags=(attach_disconnected) { include include + include include + capability dac_read_search, + capability net_admin, + + network netlink raw, + @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, @@ -27,8 +33,8 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { /var/log/auth.log r, /var/log/fail2ban.log w, - @{run}/fail2ban/fail2ban.pid w, - @{run}/fail2ban/fail2ban.sock w, + @{run}/fail2ban/fail2ban.pid rw, + @{run}/fail2ban/fail2ban.sock rw, @{run}/resolvconf/resolv.conf r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index b6c640a5..06c32689 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -11,6 +11,8 @@ include profile gparted @{exec_path} { include + ptrace (read), + @{exec_path} r, /{usr/,}{s,}bin/ r, @@ -34,8 +36,8 @@ profile gparted @{exec_path} { @{run}/udev/rules.d/ rw, @{run}/udev/rules.d/90-udisks-inhibit.rules rw, - /{usr/,}bin/udevadm rCx -> udevadm, - /{usr/,}{s,}bin/killall5 rCx -> killall, + /{usr/,}bin/udevadm rCx -> udevadm, + /{usr/,}{s,}bin/killall5 rCx -> killall, /{usr/,}bin/ps rPx, /{usr/,}bin/xhost rPx, @@ -49,6 +51,9 @@ profile gparted @{exec_path} { /usr/local/bin/ r, /usr/local/sbin/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/stat r, + # file_inherit owner /dev/tty[0-9]* rw, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 614cd455..98a138cf 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -13,149 +13,93 @@ include profile gpartedbin @{exec_path} { include include - include - include - include - include include + include + include + include + include - # Needed to inform the system of newly created/removed partitions. - # ioctl(3, BLKRRPART) = -1 EACCES (Permission denied) - # - # Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the - # kernel of the change, probably because it/they are in use. As a result, the old partition(s) - # will remain in use. You should reboot now before making further changes. - capability sys_admin, - - # capability dac_read_search, - - # Needed? (##FIXME##) + capability sys_admin, capability sys_rawio, # Needed? - deny capability sys_nice, + # deny capability sys_nice, - # Needed? ptrace (read), @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{s,}bin/blkid rPx, /{usr/,}{s,}bin/dmidecode rPx, /{usr/,}{s,}bin/hdparm rPx, - /{usr/,}{s,}bin/blkid rPx, + /{usr/,}bin/kmod rPx, - /{usr/,}bin/udevadm rCx -> udevadm, - /{usr/,}bin/mount rCx -> mount, - /{usr/,}bin/umount rCx -> umount, + /{usr/,}bin/mount rCx -> mount, + /{usr/,}bin/udevadm rCx -> udevadm, + /{usr/,}bin/umount rCx -> umount, - # RAID /{usr/,}{s,}bin/dmraid rPUx, - - # Device mapper /{usr/,}{s,}bin/dmsetup rPUx, - - # LVM + /{usr/,}{s,}bin/dumpe2fs rPx, + /{usr/,}{s,}bin/e2fsck rPx, + /{usr/,}{s,}bin/e2image rPx, + /{usr/,}{s,}bin/fsck.btrfs rPx, + /{usr/,}{s,}bin/fsck.fat rPx, /{usr/,}{s,}bin/lvm rPUx, - - # NTFS - # The following tools link to mkntfs: - # mkfs.ntfs + /{usr/,}{s,}bin/mke2fs rPx, /{usr/,}{s,}bin/mkntfs rPx, + /{usr/,}{s,}bin/mkswap rPx, /{usr/,}{s,}bin/ntfslabel rPx, /{usr/,}{s,}bin/ntfsresize rPx, - /{usr/,}bin/ntfsinfo rPx, - - # FAT16/32 - # The following tools link to mtools: - # mattrib, mbadblocks, mcat, mcd, mclasserase, mcopy, mdel, - # mdeltree, mdir, mdu, mformat, minfo, mlabel, mmd, mmount, - # mmove, mpartition, mrd, mren, mshortname, mshowfat, - # mtoolstest, mtype, mzip - /{usr/,}bin/mtools rPx, - # The following tools link to mkfs.fat: - # mkdosfs, mkfs.msdos, mkfs.vfat - /{usr/,}{s,}bin/mkfs.fat rPx, - # The following tools link to fsck.fat: - # dosfsck, fsck.msdos, fsck.vfat - /{usr/,}{s,}bin/fsck.fat rPx, - - # EXT2/3/4 - # The following tools link to mke2fs: - # mkfs.ext2, mkfs.ext3, mkfs.ext4 - /{usr/,}{s,}bin/mke2fs rPx, - # The following tools link to e2fsck: - # fsck.ext2, fsck.ext3, fsck.ext4 - /{usr/,}{s,}bin/e2fsck rPx, /{usr/,}{s,}bin/resize2fs rPx, - # The following tools link to dumpe2fs: - # e2mmpstatus - /{usr/,}{s,}bin/dumpe2fs rPx, - # The following tools link to tune2fs: - # e2label - /{usr/,}{s,}bin/tune2fs rPx, - /{usr/,}{s,}bin/e2image rPx, - - # BTRFS - /{usr/,}{s,}bin/mkfs.btrfs rPx, - # The following tools link to btrfs: - # btrfsck - /{usr/,}bin/btrfs rPx, - /{usr/,}bin/btrfstune rPx, - /{usr/,}{s,}bin/fsck.btrfs rPx, - /{usr/,}{s,}bin/mkfs.btrfs rPx, - - # SWAP - /{usr/,}{s,}bin/mkswap rPx, /{usr/,}{s,}bin/swaplabel rPx, - /{usr/,}{s,}bin/swapon rPx, /{usr/,}{s,}bin/swapoff rPx, + /{usr/,}{s,}bin/swapon rPx, + /{usr/,}{s,}bin/tune2fs rPx, + /{usr/,}bin/btrfs rPx, + /{usr/,}bin/btrfstune rPx, + /{usr/,}bin/mdadm rPUx, + /{usr/,}bin/mkfs.* rPx, + /{usr/,}bin/mtools rPx, + /{usr/,}bin/ntfsinfo rPx, + /{usr/,}bin/xfs_io rPUx, - /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, + /{usr/,}bin/xdg-open rCx -> child-open, + /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> child-open, - @{PROC}/version r, - @{PROC}/swaps r, - @{PROC}/partitions r, - @{PROC}/devices r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/mountinfo r, - - /dev/mapper/control rw, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - @{run}/mount/utab r, - - # For fsck of the btrfs filesystem - owner /tmp/gparted-*/ rw, - - # Started as root so without "owner". - @{HOME}/.Xauthority r, - - # For saving reports + @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, + owner /tmp/gparted-*/ rw, + + @{run}/mount/utab r, + + @{PROC}/devices r, + @{PROC}/partitions r, + @{PROC}/swaps r, + @{PROC}/version r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /dev/mapper/control rw, profile mount { include capability sys_admin, - /{usr/,}bin/mount mr, - mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/, mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/, mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/, + /{usr/,}bin/mount mr, + @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r, @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/ r, @@ -171,24 +115,25 @@ profile gpartedbin @{exec_path} { capability sys_admin, - /{usr/,}bin/umount mr, - umount /tmp/gparted-*/, umount /boot/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, - owner @{PROC}/@{pid}/mountinfo r, + /{usr/,}bin/umount mr, owner @{run}/mount/ rw, owner @{run}/mount/utab{,.*} rw, owner @{run}/mount/utab.lock wk, + owner @{PROC}/@{pid}/mountinfo r, + } profile udevadm { include + include ptrace (read), @@ -196,42 +141,17 @@ profile gpartedbin @{exec_path} { /etc/udev/udev.conf r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/cmdline r, - @{PROC}/1/sched r, @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, - # file_inherit - include # lots of files in this abstraction get inherited /dev/mapper/control rw, } - profile open { - include - include - - /{usr/,}bin/xdg-open mr, - /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/{m,g,}awk rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/basename rix, - - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/ r, - - # Allowed apps to open - - # file_inherit - owner @{HOME}/.xsession-errors w, - - } - include if exists } diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index ed7a3340..bf0cc3ff 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -43,5 +43,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/igmp{,6} r, owner @{PROC}/sys/net/ipv{4,6}/route/flush w, + /dev/tty[0-9]* rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 356fc74b..d99a78d2 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -7,7 +7,7 @@ abi , include @{exec_path} = /{usr/,}bin/login -profile login @{exec_path} flags=(complain) { +profile login @{exec_path} flags=(attach_disconnected) { include include include @@ -28,6 +28,8 @@ profile login @{exec_path} flags=(complain) { network netlink raw, + ptrace read, + dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.* peer=(name=org.freedesktop.login1), diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk index 3593617d..675b2994 100644 --- a/apparmor.d/profiles-g-l/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -24,5 +24,9 @@ profile lsblk @{exec_path} { @{run}/mount/utab r, + # File Inherit + deny network inet stream, + deny network inet6 stream, + include if exists } diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index dc220c35..7ae7ffd1 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -13,6 +13,8 @@ profile lvm @{exec_path} { include include + capability dac_read_search, + capability fowner, capability mknod, capability net_admin, capability sys_admin, @@ -23,8 +25,9 @@ profile lvm @{exec_path} { @{etc_rw}/lvm/** rwkl, - @{run}/lvm/** rwk, + @{run}/lock/lvm/ rw, @{run}/lock/lvm/* rwk, + @{run}/lvm/** rwk, @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/profiles-m-r/nologin index 252f9054..572122a8 100644 --- a/apparmor.d/profiles-m-r/nologin +++ b/apparmor.d/profiles-m-r/nologin @@ -9,8 +9,12 @@ include @{exec_path} = /{usr/,}{s,}bin/nologin profile nologin @{exec_path} { include + include + include @{exec_path} mr, + owner @{PROC}/@{pid}/loginuid r, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index 339e4b73..7c3260da 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -30,8 +30,9 @@ profile pkttyagent @{exec_path} { dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication, - + member={BeginAuthentication,CancelAuthentication} + peer=(name=:*, label=polkitd), + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority member=Changed, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index db143210..0ca3736f 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/qemu-ga +@{exec_path} = /{usr/,}{s,}bin/qemu-ga profile qemu-ga @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 600f492d..66991454 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -116,7 +116,8 @@ profile run-parts @{exec_path} { /etc/kernel/prerm.d/dkms rCx -> kernel, owner /tmp/#[0-9]*[0-9] rw, - owner /tmp/file* rw, + + /dev/tty[0-9]* rw, profile motd { include @@ -152,6 +153,7 @@ profile run-parts @{exec_path} { @{PROC}/@{pids}/mounts r, + /dev/tty[0-9]* rw, } profile kernel { diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index d31990a1..dd5e2bda 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -26,6 +26,10 @@ profile snap @{exec_path} { member={StartTransientUnit,JobRemoved} peer=(name=:*, label=unconfined), + dbus (send, receive) bus=system path=/org/freedesktop/ + interface=org.freedesktop.systemd1.Manager + member={StartTransientUnit,JobRemoved}, + dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents member=GetMountPoint @@ -35,6 +39,7 @@ profile snap @{exec_path} { /{usr/,}bin/mount rix, + /{usr/,}bin/gpg{,2} rCx -> gpg, /{usr/,}bin/systemctl rPx -> child-systemctl, /snap/{,**} rw, @@ -77,5 +82,19 @@ profile snap @{exec_path} { deny @{user_share_dirs}/gvfs-metadata/* r, + profile gpg { + include + + /{usr/,}bin/gpg{,2} mr, + + /{usr/,}bin/dirmngr rix, + /{usr/,}bin/gpg-agent rix, + /{usr/,}bin/gpg-connect-agent rix, + + owner @{HOME}/.snap/gnupg/ rw, + owner @{HOME}/.snap/gnupg/** rwkl, + + } + include if exists } diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 08593ffd..2f9da093 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -43,6 +43,11 @@ profile snapd @{exec_path} { ptrace (read) peer=snap, ptrace (read) peer=unconfined, + dbus (send) bus=system path=/org/freedesktop/ + interface=org.freedesktop.login1.Manager + member={SetWallMessage,ScheduleShutdown} + peer=(name=org.freedesktop.login1, label=systemd-logind), + dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get @@ -151,6 +156,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/system.slice/{,**/} r, @{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, + @{sys}/kernel/kexec_loaded r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/features/ r, @{sys}/kernel/security/apparmor/profiles r,