diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec index 5b919795..65d34ec6 100644 --- a/apparmor.d/abstractions/app/pkexec +++ b/apparmor.d/abstractions/app/pkexec @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Minimal set of rules for pkexec. @@ -18,6 +19,7 @@ capability net_admin, capability setgid, capability setuid, + capability sys_ptrace, capability sys_resource, network netlink raw, # PAM @@ -26,8 +28,6 @@ @{bin}/pkexec mr, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, /etc/shells r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index c75c3f83..36fae9ce 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -72,8 +72,6 @@ profile update-notifier @{exec_path} { include include - capability sys_ptrace, - ptrace read peer=update-notifier, @{lib}/update-notifier/package-system-locked Px, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index ce1ea9dc..c7bfbcef 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -8,15 +8,15 @@ abi , include @{exec_path} = @{bin}/pkexec -profile pkexec @{exec_path} flags=(complain) { +profile pkexec @{exec_path} { include include - audit capability sys_nice, + capability sys_nice, - signal (send) set=(term, kill) peer=polkit-agent-helper, + signal send set=(term, kill) peer=polkit-agent-helper, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -28,7 +28,7 @@ profile pkexec @{exec_path} flags=(complain) { /etc/default/locale r, @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, include if exists