feat(profile): improve support for some profiles.

Most of the rules have come from the integration tests.
2025-01-27 05:18:39 +01:00 · 2024-11-12 22:18:11 +00:00 · 2024-11-12 22:18:11 +00:00 · 66455a9251
commit 66455a9251
parent e4f0f06648
29 changed files with 50 additions and 22 deletions
--- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
@ -14,6 +14,11 @@
       member={Get,GetAll}
       peer=(name=org.freedesktop.hostname1),

+  dbus receive bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
+
  include if exists <abstractions/bus/org.freedesktop.hostname1.d>

 # vim:syntax=apparmor
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-engine-simple
 profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/ibus>
@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/ibus-engine-simple>
 }

--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-x11
 profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/ibus-x11>
 }

--- a/apparmor.d/groups/cron/cron-apport
+++ b/apparmor.d/groups/cron/cron-apport
@ -18,7 +18,7 @@ profile cron-apport @{exec_path} {

  / r,
  /var/crash/ r,
-  /var/crash/*.crash w,
+  /var/crash/* w,

  include if exists <local/cron-apport>
 }
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -54,6 +54,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/polkit{,-1}/.cache/ rw,

  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,

  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@ -13,8 +13,7 @@ profile upower @{exec_path} {
  include <abstractions/bus-system>
  include <abstractions/consoles>

-  # Needed?
-  audit capability sys_nice,
+  #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -63,8 +63,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  @{lib}/xdg-desktop-portal-validate-icon rPx,
  @{open_path}                            rPx -> child-open,

-        / r,
-  @{att}/.flatpak-info r,
+              / r,
+        @{att}/.flatpak-info r,
+  owner @{att}/ r,

  /usr/share/dconf/profile/gdm r,
  /usr/share/xdg-desktop-portal/** r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -30,6 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
  include <abstractions/user-download-strict>

  signal receive set=term peer=gdm,
+  signal receive set=hup  peer=gdm-session-worker,

  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),

--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -17,7 +17,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/net.reactivated.Fprint>
  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.background.Monitor>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.GeoClue2>
@ -83,6 +82,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  # Talk with gnome-shell

+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/dirmngr
 profile dirmngr @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/gpg/keyboxd
+++ b/apparmor.d/groups/gpg/keyboxd
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gnupg/keyboxd
 profile keyboxd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  @{exec_path} mr,

--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -36,7 +36,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/app/udevadm>

-    @{run}/udev/control rw,
+    capability net_admin,
+
+    @{att}/@{run}/udev/control rw,
+
    @{run}/udev/rules.d/90-netplan.rules rw,
    @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw,

--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} {

  signal (send) peer=child-pager,

+  unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system,
+
  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"

  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@ -10,6 +10,8 @@ include <tunables/global>
 profile systemd-cgls @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
+  include <abstractions/consoles>

  capability sys_ptrace,

@ -17,6 +19,8 @@ profile systemd-cgls @{exec_path} {

  signal send set=cont peer=child-pager,

+  unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system,
+
  @{exec_path} mr,

  @{pager_path} rPx -> child-pager,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
  /etc/machine-info rw,
  /etc/os-release r,

+  @{att}/@{run}/systemd/notify rw,
+
  @{run}/systemd/default-hostname rw,
-  @{run}/systemd/notify rw,
  @{run}/udev/data/+dmi:* r,              # for motherboard info

  @{sys}/devices/virtual/dmi/id/ r,
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  /etc/X11/xorg.conf.d/.#*.confd* rw,
  /etc/X11/xorg.conf.d/*.conf rw,

-  @{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/notify rw,

  include if exists <local/systemd-localed>
 }
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -95,6 +95,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511

  @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,

  @{run}/systemd/inhibit/ rw,
  @{run}/systemd/inhibit/.#* rw,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -25,6 +25,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/oomd.conf.d/{,**} r,

  @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/io.systemd.ManagedOOM rw,

  @{run}/systemd/io.system.ManagedOOM rw,
  @{run}/systemd/io.systemd.ManagedOOM rw,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -41,8 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/resolved.conf r,
  /etc/systemd/resolved.conf.d/{,*} r,

+  @{att}/@{run}/systemd/notify w,
+
  @{run}/systemd/netif/links/* r,
-  @{run}/systemd/notify rw,
  @{run}/systemd/resolve/{,**} rw,

  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
  /etc/.#timezone* rw,
  /etc/timezone rw,

-  @{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/notify rw,

  /dev/rtc@{int} r,

--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@ -30,6 +30,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)

  /etc/machine-id r,

+  @{att}/@{run}/systemd/notify w,
+  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+
  @{run}/systemd/userdb/{,**} rw,

  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/profiles-a-f/cpuid
+++ b/apparmor.d/profiles-a-f/cpuid
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/cpuid
 profile cpuid @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability mknod,

--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@ -29,7 +29,6 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {

  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

-  @{run}/systemd/journal/socket rw,
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511

  @{sys}/class/hidraw/ r,
--- a/apparmor.d/profiles-g-l/ip
+++ b/apparmor.d/profiles-g-l/ip
@ -30,8 +30,10 @@ profile ip @{exec_path} flags=(attach_disconnected) {
  umount /sys/,

  @{exec_path} mrix,
+
+  # To run command with 'ip netns exec'
  @{shells_path} rUx,
-  @{bin}/sudo rPx,
+  @{bin}/sudo    rPx,

  @{att}/ r,

@ -40,6 +42,7 @@ profile ip @{exec_path} flags=(attach_disconnected) {

  /usr/share/iproute2/{,**} r,

+        @{run}/netns/ r,
        @{run}/netns/* rw,
  owner @{run}/netns/ rwk,

--- a/apparmor.d/profiles-g-l/lspci
+++ b/apparmor.d/profiles-g-l/lspci
@ -35,6 +35,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
  @{sys}/bus/pci/devices/ r,
  @{sys}/bus/pci/slots/ r,
  @{sys}/bus/pci/slots/@{int}-@{int}/address r,
+  @{sys}/bus/pci/slots/@{int}/address r,
  @{sys}/devices/@{pci}/** r,
  @{sys}/module/compression r,

--- a/apparmor.d/profiles-m-r/pinentry-gnome3
+++ b/apparmor.d/profiles-m-r/pinentry-gnome3
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/pinentry-gnome3
 profile pinentry-gnome3 @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-session>
  include <abstractions/consoles>

  signal (receive) set=(int) peer=gpg-agent,
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -42,6 +42,7 @@ profile snap @{exec_path} {
  @{exec_path} mrix,

  @{bin}/mount rix,
+  @{bin}/getent rix,

  @{bin}/gpg{,2}          rCx -> gpg,
  @{bin}/systemctl        rCx -> systemctl,
--- a/apparmor.d/profiles-s-z/sync
+++ b/apparmor.d/profiles-s-z/sync
@ -13,9 +13,8 @@ profile sync @{exec_path} {

  @{exec_path} mr,

-  # Common paths where sync is used to flush all write operations on a single file to disk
-  # TODO: /** rw, ?
-  /boot/initrd-*-default rw,
+  # All paths where sync can be used to flush all write operations on a single file to disk
+  /** rw,

  include if exists <local/sync>
 }
--- a/apparmor.d/profiles-s-z/uuidd
+++ b/apparmor.d/profiles-s-z/uuidd
@ -17,8 +17,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) {

  owner /var/lib/libuuid/clock.txt rwk,

-  @{run}/uuidd/request w,
-  @{att}/@{run}/uuidd/request w,
+  @{run}/uuidd/request rw,
+  @{att}/@{run}/uuidd/request rw,

  include if exists <local/uuidd>
 }