From 5ea6ede5895d1704ed15d965f6b66c50e1272b16 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 8 Apr 2023 13:07:59 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/chromium | 1 + apparmor.d/groups/apt/apt-methods-http | 2 ++ apparmor.d/groups/children/child-dpkg | 4 ++-- apparmor.d/groups/gnome/evolution-calendar-factory | 8 +++++--- apparmor.d/groups/gnome/gdm-session-worker | 1 + apparmor.d/groups/systemd/networkctl | 4 ++-- apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/virt/cockpit-bridge | 3 +++ apparmor.d/groups/virt/docker-proxy | 3 +++ apparmor.d/groups/virt/dockerd | 1 + apparmor.d/groups/virt/virtinterfaced | 4 ++++ apparmor.d/groups/virt/virtnodedevd | 9 ++++++--- apparmor.d/groups/virt/virtsecretd | 8 ++++++-- apparmor.d/profiles-g-l/lvm | 2 ++ apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-s-z/steam-gameoverlayui | 2 +- apparmor.d/profiles-s-z/steam-reaper | 2 ++ apparmor.d/profiles-s-z/sudo | 1 + dists/flags/main.flags | 5 ++--- dists/flags/ubuntu.flags | 3 ++- 21 files changed, 49 insertions(+), 19 deletions(-) diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index 67d0ca1a..cb258cc9 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -153,6 +153,7 @@ @{PROC}/@{pids}/statm r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 6b5a5083..b83077e9 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -31,6 +31,8 @@ profile apt-methods-http @{exec_path} { signal (receive) peer=unattended-upgrade, signal (receive) peer=update-manager, + ptrace (read), + @{exec_path} mr, # apt-helper gets "no new privs" so "rix" it diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index 51ba71c5..174db2cc 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -17,8 +17,8 @@ profile child-dpkg { include include - # Needed? - deny capability setgid, + capability dac_read_search, + capability setgid, /{usr/,}bin/dpkg mr, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 0a6f3e32..59a5ae53 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -42,12 +42,14 @@ profile evolution-calendar-factory @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/tasks/system/ w, - owner @{user_share_dirs}/evolution/tasks/system/tasks.ics r, owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, + owner @{user_share_dirs}/evolution/calendar/{,**} rwk, + owner @{user_share_dirs}/evolution/tasks/system/ w, + owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + @{PROC}/sys/kernel/osrelease r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index da788324..5d683e05 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -84,6 +84,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/keyring/control rw, + @{run}/cockpit/active.motd r, @{run}/faillock/[a-zA-z0-9]* rwk, @{run}/gdm{3,}/custom.conf r, @{run}/motd.d/{,*} r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 3f352673..3c6e44fc 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -13,10 +13,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_module, # Needed? (#FIXME#) audit capability sys_resource, - audit capability sys_module, signal send peer=child-pager, @@ -27,7 +27,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/network[0-9] interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.network[0-9]), + peer=(name=org.freedesktop.network1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 29033667..e000595d 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -14,6 +14,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted include include + capability dac_override, capability dac_read_search, capability net_admin, capability setgid, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index cb762049..1b5fb749 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -39,7 +39,7 @@ profile update-motd-updates-available @{exec_path} { /etc/machine-id r, /var/lib/update-notifier/{,*} rw, - /var/lib/ubuntu-advantage/apt-esm/var/cache/apt/pkgcache.bin* rw, + /var/lib/ubuntu-advantage/apt-esm/var/cache/apt/*pkgcache.bin* rw, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 6817e508..5ba01787 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -23,6 +23,7 @@ profile cockpit-bridge @{exec_path} { signal (send) set=term peer=cockpit-pcp, signal (send) set=term peer=dbus-daemon, + signal (send) set=term peer=journalctl, signal (send) set=term peer=ssh-agent, signal (send) set=term peer=sudo, signal (send) set=term peer=unconfined, @@ -36,9 +37,11 @@ profile cockpit-bridge @{exec_path} { /usr/share/cockpit/{,**} r, /etc/cockpit/{,**} r, + /etc/login.defs r, /etc/machine-id r, /etc/motd r, /etc/shadow r, + /etc/shells r, owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 54f66d66..bbf66911 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -11,10 +11,13 @@ profile docker-proxy @{exec_path} { include capability net_admin, + capability net_bind_service, network inet stream, network inet6 stream, + signal (receive) set=int peer=dockerd, + @{exec_path} mr, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 78284fca..28442564 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -47,6 +47,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=docker-*, ptrace (read) peer=unconfined, + signal (send) set=int peer=docker-proxy, signal (send) set=kill peer=docker-*, signal (send) set=term peer=containerd, diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced index 6ad01f9b..de6d6e06 100644 --- a/apparmor.d/groups/virt/virtinterfaced +++ b/apparmor.d/groups/virt/virtinterfaced @@ -14,6 +14,8 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace (read) peer=virtqemud, + @{exec_path} mr, /{usr/,}lib/gconv/gconv-modules rm, @@ -33,6 +35,8 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/net/ r, @{sys}/devices/pci[0-9]*/**/net/{,**} r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node[0-9]*/meminfo r, @{sys}/devices/virtual/net/{,**} r, owner @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 120e1457..35317bc8 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -17,11 +17,13 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace (read) peer=virtqemud, + @{exec_path} mr, /{usr/,}bin/mdevctl rPx, - /usr/share/hwdata/pnp.ids r, + /usr/share/hwdata/*.ids r, /etc/mdevctl.d/{,**} r, @@ -46,7 +48,8 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c1:[0-9]* r, # For RAM disk @{run}/udev/data/c10:[0-9]* r, # For non-serial mice, misc features - @{run}/udev/data/c13:[0-9]* r, # for /dev/input/* + @{run}/udev/data/c13:[0-9]* r, # For /dev/input/* + @{run}/udev/data/c29:[0-9]* r, # For /dev/fb[0-9]* @{run}/udev/data/c90:[0-9]* r, # For RAM, ROM, Flash @{run}/udev/data/c116:[0-9]* r, # For ALSA @{run}/udev/data/c226:[0-9]* r, # For /dev/dri/card[0-9]* @@ -68,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, - @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date} r, + @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, @{sys}/devices/virtual/net/{,**} r, @{sys}/kernel/iommu_groups/ r, @{sys}/kernel/iommu_groups/[0-9]*/devices/ r, diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd index a2491549..bf08855c 100644 --- a/apparmor.d/groups/virt/virtsecretd +++ b/apparmor.d/groups/virt/virtsecretd @@ -14,13 +14,17 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace (read) peer=virtqemud, + @{exec_path} mr, + owner @{user_config_dirs}/libvirt/secrets/ rw, + owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk, + @{run}/systemd/inhibit/*.ref rw, owner @{run}/user/@{uid}/libvirt/common/system.token rwk, owner @{run}/user/@{uid}/libvirt/secrets/ rw, - owner @{run}/user/@{uid}/libvirt/secrets/run rw, - owner @{run}/user/@{uid}/libvirt/secrets/run/* rwk, + owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk, owner @{run}/user/@{uid}/libvirt/virtsecretd* rwk, @{run}/utmp rk, diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm index e9112b2e..0efafd25 100644 --- a/apparmor.d/profiles-g-l/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -21,6 +21,8 @@ profile lvm @{exec_path} { capability sys_nice, capability sys_rawio, + ptrace (read), + @{exec_path} rm, @{etc_rw}/lvm/** rwkl, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 4ab864f6..4022f948 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -42,7 +42,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.{DBus.Introspectable,PackageKit} member={Introspect,StateHasChanged} - peer=(name=:*, label=apt), + peer=(name=:*), dbus (send,receive) bus=system path=/[0-9]*_@{hex} interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction}, diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui index a6ab0c88..55d16d57 100644 --- a/apparmor.d/profiles-s-z/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -54,7 +54,7 @@ profile steam-gameoverlayui @{exec_path} { owner /tmp/miles_image_* mrw, @{sys}/ r, - @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpu[0-9]*/** r, @{sys}/kernel/ r, @{PROC}/version r, diff --git a/apparmor.d/profiles-s-z/steam-reaper b/apparmor.d/profiles-s-z/steam-reaper index a18c77a9..e6fd3070 100644 --- a/apparmor.d/profiles-s-z/steam-reaper +++ b/apparmor.d/profiles-s-z/steam-reaper @@ -29,6 +29,8 @@ profile steam-reaper @{exec_path} { owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, + @{sys}/devices/system/cpu/cpu[0-9]*/** r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index e7b53038..b54759d4 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -80,6 +80,7 @@ profile sudo @{exec_path} { @{run}/ r, @{run}/faillock/{,*} rwk, @{run}/resolvconf/resolv.conf r, + @{run}/systemd/sessions/* r, owner @{run}/sudo/ rw, owner @{run}/sudo/ts/ rw, owner @{run}/sudo/ts/* rwk, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index dd7d18f1..3a1465d6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -63,7 +63,6 @@ fdisk complain file-roller complain firewalld complain flatpak-session-helper complain -fprintd attach_disconnected,complain fsck-ext4 complain fuse-overlayfs complain fusermount complain @@ -277,8 +276,8 @@ virtinterfaced attach_disconnected,complain virtiofsd complain,attach_disconnected virtlockd complain virtnetworkd complain -virtnodedevd complain -virtsecretd complain +virtnodedevd attach_disconnected,complain +virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain wg complain wg-quick complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index c4f02724..c491729d 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -9,11 +9,12 @@ list-oem-metapackages complain livepatch-notification complain notify-reboot-required complain package-system-locked attach_disconnected,complain +pro complain release-upgrade-motd complain -software-properties-gtk software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain +ubuntu-distro-info complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain