From 7033a13bc2ec697f81704a20ac90992e6efef4c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 1 Oct 2024 18:15:51 +0100 Subject: [PATCH] fix(profile): update ufw. fix #537 --- apparmor.d/profiles-s-z/ufw | 15 ++++++++++++--- dists/flags/main.flags | 1 + 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw index 525e543b..685eed20 100644 --- a/apparmor.d/profiles-s-z/ufw +++ b/apparmor.d/profiles-s-z/ufw @@ -16,10 +16,16 @@ profile ufw @{exec_path} { capability dac_read_search, capability net_admin, + capability net_raw, + capability sys_ptrace, - network netlink raw, network inet dgram, + network inet raw, network inet6 dgram, + network inet6 raw, + network netlink raw, + + ptrace read, @{exec_path} mr, @@ -27,14 +33,16 @@ profile ufw @{exec_path} { @{bin}/cat ix, @{bin}/env r, @{bin}/python3.@{int} ix, + @{bin}/sysctl ix, @{bin}/xtables-legacy-multi ix, @{bin}/xtables-nft-multi ix, @{lib}/ufw/ufw-init ix, - /etc/default/ufw r, + /etc/default/ufw rw, /etc/ufw/ rw, /etc/ufw/** rwk, + @{run}/xtables.lock rwk, owner @{run}/ufw.lock rwk, owner @{tmp}/@{word8} rw, @@ -45,9 +53,10 @@ profile ufw @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/ip_tables_names r, @{PROC}/@{pid}/stat r, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, include if exists - } # vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 16c61640..e1c8a057 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -382,6 +382,7 @@ tracker-writeback complain udev-dmi-memory-id complain udisksctl complain udisksd attach_disconnected,complain +ufw complain update-grub complain update-secureboot-policy complain userdbctl complain