mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(profiles): add ubuntu specific profiles.

Browse Source
This commit is contained in:
Alexandre Pujol 2022-05-21 17:07:37 +01:00
parent 4c7ebb3a39
commit 59ba69a167
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
9 changed files with 287 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
apparmor.d/groups/ubuntu/apport-checkreports Normal file
View File

@ -0,0 +1,26 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/apport/apport-checkreports
profile apport-checkreports @{exec_path} {
include <abstractions/base>
include <abstractions/python>
include <abstractions/openssl>
@{exec_path} mr,
/{usr/,}bin/python3.[0-9]* r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/usr/share/apport/ r,
/etc/apt/apt.conf.d/{,**} r,
include if exists <local/apport-checkreports>
}

25
apparmor.d/groups/ubuntu/livepatch-notification Normal file
View File

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification
profile livepatch-notification @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/X11/{,**} r,
/usr/share/themes/{,**} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/livepatch-notification>
}

31
apparmor.d/groups/ubuntu/package-system-locked Normal file
View File

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/package-system-locked
profile package-system-locked @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
capability dac_read_search,
capability syslog,
ptrace (read),
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/fuser rix,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/net/unix r,
@{PROC}/ r,
@{PROC}/@{pids}/fd/ r,
@{PROC}/@{pids}/maps r,
@{PROC}/swaps r,
include if exists <local/package-system-locked>
}

34
apparmor.d/groups/ubuntu/packagekitd Normal file
View File

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{libexec}/packagekitd
profile packagekitd @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/nameservice-strict>
capability sys_nice,
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/dpkg rPx,
/usr/share/dpkg/tupletable r,
/usr/share/dpkg/cputable r,
/etc/PackageKit/PackageKit.conf r,
/var/cache/PackageKit/downloads/ r,
/var/lib/PackageKit/transactions.db rwk,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/packagekitd>
}

22
apparmor.d/groups/ubuntu/snap-device-helper Normal file
View File

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/snapd/snap-device-helper
profile snap-device-helper @{exec_path} {
include <abstractions/base>
capability bpf,
capability setgid,
capability sys_resource,
@{exec_path} mr,
@{sys}/fs/bpf/snap/ w,
include if exists <local/snap-device-helper>
}

25
apparmor.d/groups/ubuntu/ubuntu-advantage-notification Normal file
View File

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification
profile ubuntu-advantage-notification @{exec_path} {
include <abstractions/base>
include <abstractions/dconf>
@{exec_path} mr,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/X11/xkb/{,**} r,
/usr/share/themes/{,**} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
include if exists <local/ubuntu-advantage-notification>
}

25
apparmor.d/groups/ubuntu/ubuntu-report Normal file
View File

@ -0,0 +1,25 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/ubuntu-report
profile ubuntu-report @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx,
owner @{user_cache_dirs}/ubuntu-report/{,*} r,
@{run}/systemd/resolve/stub-resolv.conf r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
include if exists <local/ubuntu-report>
}

36
apparmor.d/groups/ubuntu/update-motd-updates-available Normal file
View File

@ -0,0 +1,36 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/update-motd-updates-available
profile update-motd-updates-available @{exec_path} {
include <abstractions/base>
include <abstractions/python>
@{exec_path} mr,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/apt-config rPx,
/{usr/,}bin/dirname rix,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/find rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}lib/update-notifier/apt_check.py rix,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/sources.list r,
/var/lib/apt/lists/{,*} r,
/var/lib/update-notifier/{,*} rw,
owner @{PROC}/@{pid}/fd/ r,
include if exists <local/update-motd-updates-available>
}

63
apparmor.d/groups/ubuntu/update-notifier Normal file
View File

@ -0,0 +1,63 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/update-notifier
profile update-notifier @{exec_path} {
include <abstractions/base>
include <abstractions/apt-common>
include <abstractions/dconf>
include <abstractions/fonts>
include <abstractions/nameservice-strict>
include <abstractions/openssl>
include <abstractions/python>
@{exec_path} mr,
/{usr/,}bin/dpkg rPx,
/{usr/,}bin/ionice rix,
/{usr/,}bin/ischroot rix,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/nice rix,
/{usr/,}bin/pkexec rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}lib/update-notifier/apt_check.py rix,
/{usr/,}lib/update-notifier/livepatch-notification rPx,
/{usr/,}lib/update-notifier/package-system-locked rPx,
/usr/share/apport/apport-checkreports rPx,
/usr/share/applications/{,*.desktop} r,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/{,**} r,
/usr/share/themes/{,**} r,
/usr/share/ubuntu/applications/ r,
/usr/share/X11/{,**} r,
/etc/machine-id r,
/etc/gnome/defaults.list r,
/var/lib/update-notifier/user.d/ r,
/var/lib/snapd/desktop/applications/{,/mimeinfo.cache} r,
owner @{run}/user/@{uid}/dconf/ rw,
owner @{run}/user/@{uid}/dconf/user rw,
owner @{run}/user/@{uid}/update-notifier.pid rwk,
owner @{run}/user/@{uid}/wayland-[0-9]* rw,
owner /tmp/#[0-9]* rw,
@{run}/systemd/userdb/io.systemd.DynamicUser w,
@{run}/systemd/userdb/ r,
owner @{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/sys/kernel/random/boot_id r,
include if exists <local/update-notifier>
}