From 59ba69a1674f4fd0015536b9b6af42d5f92777c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 May 2022 17:07:37 +0100 Subject: [PATCH] feat(profiles): add ubuntu specific profiles. --- apparmor.d/groups/ubuntu/apport-checkreports | 26 ++++++++ .../groups/ubuntu/livepatch-notification | 25 ++++++++ .../groups/ubuntu/package-system-locked | 31 +++++++++ apparmor.d/groups/ubuntu/packagekitd | 34 ++++++++++ apparmor.d/groups/ubuntu/snap-device-helper | 22 +++++++ .../ubuntu/ubuntu-advantage-notification | 25 ++++++++ apparmor.d/groups/ubuntu/ubuntu-report | 25 ++++++++ .../ubuntu/update-motd-updates-available | 36 +++++++++++ apparmor.d/groups/ubuntu/update-notifier | 63 +++++++++++++++++++ 9 files changed, 287 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apport-checkreports create mode 100644 apparmor.d/groups/ubuntu/livepatch-notification create mode 100644 apparmor.d/groups/ubuntu/package-system-locked create mode 100644 apparmor.d/groups/ubuntu/packagekitd create mode 100644 apparmor.d/groups/ubuntu/snap-device-helper create mode 100644 apparmor.d/groups/ubuntu/ubuntu-advantage-notification create mode 100644 apparmor.d/groups/ubuntu/ubuntu-report create mode 100644 apparmor.d/groups/ubuntu/update-motd-updates-available create mode 100644 apparmor.d/groups/ubuntu/update-notifier diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports new file mode 100644 index 00000000..56e0b48e --- /dev/null +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/apport/apport-checkreports +profile apport-checkreports @{exec_path} { + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/python3.[0-9]* r, + + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + /usr/share/apport/ r, + + /etc/apt/apt.conf.d/{,**} r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification new file mode 100644 index 00000000..33965de6 --- /dev/null +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification +profile livepatch-notification @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/X11/{,**} r, + /usr/share/themes/{,**} r, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked new file mode 100644 index 00000000..d307f0eb --- /dev/null +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/package-system-locked +profile package-system-locked @{exec_path} flags=(attach_disconnected) { + include + + capability dac_read_search, + capability syslog, + + ptrace (read), + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/fuser rix, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/unix r, + @{PROC}/ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/maps r, + @{PROC}/swaps r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/packagekitd b/apparmor.d/groups/ubuntu/packagekitd new file mode 100644 index 00000000..ba55b853 --- /dev/null +++ b/apparmor.d/groups/ubuntu/packagekitd @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{libexec}/packagekitd +profile packagekitd @{exec_path} { + include + include + include + + capability sys_nice, + + network netlink raw, + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + + /usr/share/dpkg/tupletable r, + /usr/share/dpkg/cputable r, + + /etc/PackageKit/PackageKit.conf r, + + /var/cache/PackageKit/downloads/ r, + /var/lib/PackageKit/transactions.db rwk, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/snap-device-helper b/apparmor.d/groups/ubuntu/snap-device-helper new file mode 100644 index 00000000..d3cdb0a9 --- /dev/null +++ b/apparmor.d/groups/ubuntu/snap-device-helper @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/snapd/snap-device-helper +profile snap-device-helper @{exec_path} { + include + + capability bpf, + capability setgid, + capability sys_resource, + + @{exec_path} mr, + + @{sys}/fs/bpf/snap/ w, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification new file mode 100644 index 00000000..c6e3f327 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/ubuntu-advantage-notification +profile ubuntu-advantage-notification @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/X11/xkb/{,**} r, + /usr/share/themes/{,**} r, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report new file mode 100644 index 00000000..a6b6447d --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/ubuntu-report +profile ubuntu-report @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + + owner @{user_cache_dirs}/ubuntu-report/{,*} r, + + @{run}/systemd/resolve/stub-resolv.conf r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available new file mode 100644 index 00000000..5724a959 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/update-notifier/update-motd-updates-available +profile update-motd-updates-available @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/python3.[0-9]* r, + + /{usr/,}bin/apt-config rPx, + /{usr/,}bin/dirname rix, + /{usr/,}bin/dpkg rPx -> child-dpkg, + /{usr/,}bin/find rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, + /{usr/,}lib/update-notifier/apt_check.py rix, + + /etc/apt/apt.conf.d/{,*} r, + /etc/apt/sources.list r, + + /var/lib/apt/lists/{,*} r, + /var/lib/update-notifier/{,*} rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier new file mode 100644 index 00000000..08139166 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -0,0 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/update-notifier +profile update-notifier @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/ionice rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/nice rix, + /{usr/,}bin/pkexec rPx, + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}lib/update-notifier/apt_check.py rix, + /{usr/,}lib/update-notifier/livepatch-notification rPx, + /{usr/,}lib/update-notifier/package-system-locked rPx, + /usr/share/apport/apport-checkreports rPx, + + /usr/share/applications/{,*.desktop} r, + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /usr/share/icons/{,**} r, + /usr/share/themes/{,**} r, + /usr/share/ubuntu/applications/ r, + /usr/share/X11/{,**} r, + + /etc/machine-id r, + /etc/gnome/defaults.list r, + + /var/lib/update-notifier/user.d/ r, + /var/lib/snapd/desktop/applications/{,/mimeinfo.cache} r, + + owner @{run}/user/@{uid}/dconf/ rw, + owner @{run}/user/@{uid}/dconf/user rw, + owner @{run}/user/@{uid}/update-notifier.pid rwk, + owner @{run}/user/@{uid}/wayland-[0-9]* rw, + + owner /tmp/#[0-9]* rw, + + @{run}/systemd/userdb/io.systemd.DynamicUser w, + @{run}/systemd/userdb/ r, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} \ No newline at end of file