From 5e77974546008736d5b826f23613cf3fa8f90c99 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 7 Mar 2023 18:01:07 +0000
Subject: [PATCH] feat(profiles): better cockpit integration.

---
 apparmor.d/groups/virt/cockpit-bridge         |  3 ++
 .../groups/virt/cockpit-certificate-ensure    |  8 +++++
 .../groups/virt/cockpit-certificate-helper    | 15 +++++++++
 apparmor.d/groups/virt/cockpit-pcp            | 33 +++++++++++++++++++
 apparmor.d/groups/virt/cockpit-session        | 10 +++++-
 apparmor.d/groups/virt/cockpit-ssh            |  1 +
 apparmor.d/groups/virt/cockpit-tls            |  2 ++
 apparmor.d/groups/virt/cockpit-ws             |  1 +
 .../groups/virt/cockpit-wsinstance-factory    |  2 ++
 apparmor.d/groups/virt/libvirt-dbus           |  1 +
 10 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/groups/virt/cockpit-pcp

diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index f3367b5e..ae5324f6 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -21,6 +21,7 @@ profile cockpit-bridge @{exec_path} {
   network inet6 dgram,
   network inet6 stream,
 
+  signal (send) set=term peer=cockpit-pcp,
   signal (send) set=term peer=dbus-daemon,
   signal (send) set=term peer=ssh-agent,
   signal (send) set=term peer=sudo,
@@ -29,6 +30,8 @@ profile cockpit-bridge @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/journalctl rPx,
+  /{usr/,}lib/cockpit/cockpit-pcp rPx,
+  /{usr/,}lib/cockpit/cockpit-ssh rPx,
 
   /usr/share/cockpit/{,**} r,
 
diff --git a/apparmor.d/groups/virt/cockpit-certificate-ensure b/apparmor.d/groups/virt/cockpit-certificate-ensure
index 226e1a95..f91cdf30 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-ensure
+++ b/apparmor.d/groups/virt/cockpit-certificate-ensure
@@ -10,9 +10,17 @@ include <tunables/global>
 profile cockpit-certificate-ensure @{exec_path} {
   include <abstractions/base>
 
+  capability dac_override,
+  capability dac_read_search,
+  capability chown,
+
   @{exec_path} mr,
 
+  /{usr/,}lib/cockpit/cockpit-certificate-helper rPx,
+
   /etc/cockpit/ws-certs.d/{,*} r,
 
+  owner @{run}/cockpit/tls/server/{,**} rw,
+
   include if exists <local/cockpit-certificate-ensure>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper
index 85f029ce..938185be 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@@ -9,8 +9,23 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/cockpit/cockpit-certificate-helper
 profile cockpit-certificate-helper @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}bin/chmod rix,
+  /{usr/,}bin/id rix,
+  /{usr/,}bin/mkdir rix,
+  /{usr/,}bin/mv rix,
+  /{usr/,}bin/rm rix,
+  /{usr/,}bin/sscg rix,
+  /{usr/,}bin/tr rix,
+
+  /etc/machine-id r,
+
+  owner @{run}/cockpit/certificate-helper/{,**} rw,
+
   include if exists <local/cockpit-certificate-helper>
+
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp
new file mode 100644
index 00000000..744f02fc
--- /dev/null
+++ b/apparmor.d/groups/virt/cockpit-pcp
@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cockpit/cockpit-pcp
+profile cockpit-pcp @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/disks-read>
+
+  network inet6 dgram,
+  network inet6 stream,
+
+  signal (receive) peer=cockpit-bridge,
+
+  @{exec_path} mr,
+
+  /etc/pcp.conf r,
+  /etc/pcp/{,**} r,
+
+  /var/lib/pcp/{,**} rw,
+
+        @{PROC}/diskstats r,
+        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mounts r,
+        @{PROC}/@{pid}/net/dev r,
+
+  include if exists <local/cockpit-pcp>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session
index 72db62cd..ca431636 100644
--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@@ -9,8 +9,10 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/cockpit/cockpit-session
 profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
   include <abstractions/authentication>
+  include <abstractions/bash>
+  include <abstractions/nameservice-strict>
+  include <abstractions/zsh>
 
   capability audit_write,
   capability dac_read_search,
@@ -24,16 +26,20 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}bin/{,z,ba,da}sh    rix,
   /{usr/,}bin/cockpit-bridge  rPx,
+  /{usr/,}lib/cockpit/cockpit-pcp  rPx,
 
   @{etc_ro}/environment r,
   /etc/group r,
   /etc/motd r,
+  /etc/motd.d/ r,
   @{etc_ro}/security/limits.d/{,*.conf} r,
   /etc/shells r,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
   @{run}/systemd/sessions/*.ref rw,
   @{run}/utmp rwk,
+  @{run}/motd.d/{,*} r,
+  @{run}/cockpit/active.motd r,
 
   /var/log/btmp rw,
   /var/log/lastlog rw,
@@ -43,5 +49,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/uid_map r,
         @{PROC}/@{pids}/fd/ r,
 
+  /dev/tty rw,
+
   include if exists <local/cockpit-session>
 }
diff --git a/apparmor.d/groups/virt/cockpit-ssh b/apparmor.d/groups/virt/cockpit-ssh
index 4ac87225..259ba206 100644
--- a/apparmor.d/groups/virt/cockpit-ssh
+++ b/apparmor.d/groups/virt/cockpit-ssh
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/cockpit/cockpit-ssh
 profile cockpit-ssh @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls
index d742fbaa..a0c38fd1 100644
--- a/apparmor.d/groups/virt/cockpit-tls
+++ b/apparmor.d/groups/virt/cockpit-tls
@@ -16,5 +16,7 @@ profile cockpit-tls @{exec_path} {
 
   /etc/cockpit/ws-certs.d/{,**} r,
 
+  owner @{run}/cockpit/tls/{,**} rw,
+
   include if exists <local/cockpit-tls>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws
index bea2a2c5..dc040fe6 100644
--- a/apparmor.d/groups/virt/cockpit-ws
+++ b/apparmor.d/groups/virt/cockpit-ws
@@ -15,6 +15,7 @@ profile cockpit-ws @{exec_path} {
   /{usr/,}lib/cockpit/cockpit-session  rPx,
 
   /usr/share/cockpit/{,**} r,
+  /usr/share/pixmaps/{,**} r,
   /etc/cockpit/ws-certs.d/ r,
 
   owner @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory
index 6b0ece47..2fe951d0 100644
--- a/apparmor.d/groups/virt/cockpit-wsinstance-factory
+++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory
@@ -10,6 +10,8 @@ include <tunables/global>
 profile cockpit-wsinstance-factory @{exec_path} {
   include <abstractions/base>
 
+  capability net_admin,
+
   @{exec_path} mr,
 
   include if exists <local/cockpit-wsinstance-factory>
diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus
index 5d3ac6e1..057c245f 100644
--- a/apparmor.d/groups/virt/libvirt-dbus
+++ b/apparmor.d/groups/virt/libvirt-dbus
@@ -21,6 +21,7 @@ profile libvirt-dbus @{exec_path} {
 
   owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk,
 
+  @{run}/user/@{uid}/libvirt/ rw,
   @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
   @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,