Allow dbus messages and user database reading.

2024-11-15 07:54:17 +01:00 · 2022-07-18 17:58:01 +02:00 · 2022-07-18 17:58:01 +02:00 · 5af6cda328
commit 5af6cda328
parent 28a3584c14
2 changed files with 23 additions and 3 deletions
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@ -40,7 +40,6 @@ profile k3s @{exec_path} flags=(complain) {
  /{usr/,}bin/mount rPx,
  /{usr/,}bin/systemd-run rix,

-  # Does not seem to work.
  # These are all symbolic links to xtables-nft-multi on Ubuntu 22.04
  /{usr/,}{s,}bin/iptables rPx -> xtables-nft-multi,
  /etc/alternatives/iptables rPx -> xtables-nft-multi,
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -12,15 +13,35 @@ profile pkttyagent @{exec_path} {
  include <abstractions/dbus-strict>

  capability sys_nice,
+  capability audit_write,

  ptrace (read),
-  signal (receive),
+  signal (send,receive),
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=RegisterAuthenticationAgentWithOptions,
+  
+  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent
+       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
+       member=BeginAuthentication,
+  
+  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=Changed,

  @{exec_path} mr,

+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+
  owner @{PROC}/@{pids}/stat r,

  /dev/tty rw,

  include if exists <local/pkttyagent>
-}
+}