feat(profiles): general update.

apparmor.d/groups/apt/dpkg

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -28,18 +29,13 @@ profile dpkg @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/cat         rix,
   /{usr/,}bin/rm          rix,
 
-  # Do not strip env to avoid errors like the following:
-  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
-  #  shared object file): ignored.
-  /{usr/,}bin/dpkg-query  rpx,
   /{usr/,}bin/dpkg-deb    rpx,
-  #
+  /{usr/,}bin/dpkg-query  rpx,
   /{usr/,}bin/dpkg-split  rPx,
-
   /{usr/,}lib/needrestart/dpkg-status rPx,
-
   /usr/share/debian-security-support/check-support-status.hook rPx,
 
   /{usr/,}bin/pager       rCx -> diff,
@@ -47,6 +43,9 @@ profile dpkg @{exec_path} {
   /{usr/,}bin/more        rCx -> diff,
   /{usr/,}bin/diff        rCx -> diff,
 
+  /etc/dpkg/dpkg.cfg.d/{,*} r,
+  /etc/dpkg/dpkg.cfg r,
+
   # Run the package maintainer's scripts
   # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
   # Move it to a child profile once more transitions will be available
@@ -67,19 +66,9 @@ profile dpkg @{exec_path} {
   #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
   #/var/lib/dpkg/tmp.ci/{prerm,postrm}     rCx -> scripts,
 
-  /etc/dpkg/dpkg.cfg.d/{,*} r,
-  /etc/dpkg/dpkg.cfg r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/sys/kernel/random/boot_id r,
-
-  owner /tmp/apt-dpkg-install-*/ r,
-
   /var/log/dpkg.log w,
   /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
-  @{run}/systemd/userdb/ r,
-
   # For shell pwd
   /root/ r,
 
@@ -120,9 +109,14 @@ profile dpkg @{exec_path} {
   /var/*.dpkg-new/ rw,
   /var/*/ rw,
 
-  # file_inherit
-  owner /dev/tty[0-9]* rw,
+  owner /tmp/apt-dpkg-install-*/ r,
 
+  @{run}/systemd/userdb/ r,
+
+  owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/sys/kernel/random/boot_id r,
+
+  owner /dev/tty[0-9]* rw,
 
   profile diff {
     include <abstractions/base>
@@ -134,19 +128,19 @@ profile dpkg @{exec_path} {
     /{usr/,}bin/more  mr,
     /{usr/,}bin/diff  mr,
 
+    /etc/** r,  # Diff changed config files
+    /root/ r,   # For shell pwd
+
     owner @{HOME}/.lesshs* rw,
 
-    # Diff changed config files
-    /etc/** r,
-
-    # For shell pwd
-    /root/ r,
-
   }
 
   profile scripts {
     include <abstractions/base>
 
+    /{usr/,}{s,}bin/    r,
+    /{usr/,}{s,}bin/*   rPUx,
+
     /var/lib/dpkg/info/*.config             r,
     /var/lib/dpkg/info/*.{preinst,postinst} r,
     /var/lib/dpkg/info/*.{prerm,postrm}     r,
@@ -154,11 +148,6 @@ profile dpkg @{exec_path} {
     /var/lib/dpkg/tmp.ci/{preinst,postinst} r,
     /var/lib/dpkg/tmp.ci/{prerm,postrm}     r,
 
-    /{usr/,}bin/    r,
-    /{usr/,}bin/*   rPUx,
-    /{usr/,}sbin/   r,
-    /{usr/,}sbin/*  rPUx,
-
   }
 
   include if exists <local/dpkg>

apparmor.d/groups/apt/unattended-upgrade

@@ -81,14 +81,17 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
   /etc/debian_version r,
+  /etc/default/grub.d/* r,
   /etc/dpkg/origins/{debian,ubuntu,} r,
+  /etc/grub.d/* r,
   /etc/issue{.net,} r,
+  /etc/kernel/*.d/*grub* r,
   /etc/legal r,
   /etc/lsb-release r,
   /etc/profile.d/* r,
-  /etc/update-motd.d/* r,
   /etc/update-manager/{,**} r,
   /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
+  /etc/update-motd.d/* r,
 
   /etc/machine-id r,
 

apparmor.d/groups/grub/grub-mkconfig

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,10 +12,17 @@ profile grub-mkconfig @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
+  capability dac_override,
   capability dac_read_search,
 
   @{exec_path}                     mr,
-  /etc/grub.d/{**,}                rix,
+
+  /{usr/,}{local/,}{s,}bin/zfs     rPx,
+  /{usr/,}{local/,}{s,}bin/zpool   rPx,
+  /{usr/,}{s,}bin/dmsetup          rPUx,
+  /{usr/,}{s,}bin/grub-probe       rPx,
+  /{usr/,}bin/{,ba,da}sh           rix,
+  /{usr/,}bin/{e,f,}grep           rix,
   /{usr/,}bin/{m,g,}awk            rix,
   /{usr/,}bin/basename             rix,
   /{usr/,}bin/cat                  rix,
@@ -26,22 +34,21 @@ profile grub-mkconfig @{exec_path} flags=(complain) {
   /{usr/,}bin/find                 rix,
   /{usr/,}bin/findmnt              rPx,
   /{usr/,}bin/gettext              rix,
-  /{usr/,}bin/{e,f,}grep           rix,
-  /{usr/,}bin/lsb_release          rPx -> lsb_release,
   /{usr/,}bin/grub-mkrelpath       rPx,
   /{usr/,}bin/grub-script-check    rPx,
   /{usr/,}bin/head                 rix,
   /{usr/,}bin/id                   rPx,
   /{usr/,}bin/ls                   rix,
+  /{usr/,}bin/lsb_release          rPx -> lsb_release,
   /{usr/,}bin/mktemp               rix,
   /{usr/,}bin/mount                rPx,
   /{usr/,}bin/mountpoint           rix,
+  /{usr/,}bin/os-prober            rPx,
   /{usr/,}bin/paste                rix,
   /{usr/,}bin/readlink             rix,
   /{usr/,}bin/rm                   rix,
   /{usr/,}bin/rmdir                rix,
   /{usr/,}bin/sed                  rix,
-  /{usr/,}bin/{,ba,da}sh           rix,
   /{usr/,}bin/sort                 rix,
   /{usr/,}bin/stat                 rix,
   /{usr/,}bin/tail                 rix,
@@ -49,10 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(complain) {
   /{usr/,}bin/umount               rPx,
   /{usr/,}bin/uname                rix,
   /{usr/,}bin/which{.debianutils,} rix,
-  /{usr/,}{s,}bin/dmsetup          rPUx,
-  /{usr/,}{s,}bin/grub-probe       rPx,
-  /{usr/,}{local/,}{s,}bin/zfs     rPx,
-  /{usr/,}{local/,}{s,}bin/zpool   rPx,
+  /etc/grub.d/{**,}                rix,
 
   /boot/{**,} r,
   /boot/grub/{**,} rw,

apparmor.d/groups/network/NetworkManager

@@ -87,6 +87,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}bin/{,ba,da}sh rix,
 
+  /{usr/,}bin/dnsmasq                            rPx,
   /{usr/,}bin/resolvconf                         rPx,
   /{usr/,}bin/systemctl                          rPx -> child-systemctl,
   /{usr/,}lib/nm-dhcp-helper                     rPx,

apparmor.d/groups/pacman/archlinux-keyring-wkd-sync

@@ -22,9 +22,9 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
 
   /{usr/,}bin/{m,g,}awk    rix,
   /{usr/,}bin/bash         rix,
+  /{usr/,}bin/dirmngr      rix,
   /{usr/,}bin/gpg          rix,
   /{usr/,}bin/pacman-conf  rix,
-  /{usr/,}bin/dirmngr rix,
 
   /etc/pacman.conf r,
   /etc/pacman.d/*-mirrorlist r,
@@ -35,5 +35,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  /dev/tty rw,
+
   include if exists <local/archlinux-keyring-wkd-sync>
 }

apparmor.d/profiles-s-z/wpa-supplicant

@@ -38,23 +38,20 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /etc/wpa_supplicant/wpa_supplicant.conf rw,
+  /etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
+  /etc/libnl/{classid,pktloc} r,
+
   @{HOME}/.cat_installer/*.pem r,
 
   owner @{run}/wpa_supplicant/{,**} rw,
 
-  /etc/wpa_supplicant/wpa_supplicant.conf r,
-  /etc/libnl/{classid,pktloc} r,
-
-  /dev/rfkill r,
+  @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
 
   @{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw,
   @{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw,
 
-  @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
-
-  # For wpa_gui
-  #/etc/wpa_supplicant/wpa_supplicant.conf w,
-  #/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
+  /dev/rfkill rw,
 
   include if exists <local/wpa-supplicant>
 }