From 758991f67b3aa6787f37005ff89fe3240c2733d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 17:31:45 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/groups/gnome/gnome-disk-image-mounter | 1 + apparmor.d/groups/gvfs/gvfsd-fuse | 1 + apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/systemd/systemd-journald | 5 ++++- apparmor.d/groups/ubuntu/ubuntu-report | 5 +++++ apparmor.d/groups/virt/containerd-shim-runc-v2 | 1 + apparmor.d/profiles-a-f/aa-notify | 2 +- apparmor.d/profiles-a-f/cctk | 3 +++ apparmor.d/profiles-g-l/install-info | 1 + apparmor.d/profiles-s-z/s3fs | 2 ++ 10 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 1d54d4fc..68e2e74d 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -13,6 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index ff3d774b..4f3fdfd1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -60,6 +60,7 @@ profile gvfsd-fuse @{exec_path} { /dev/fuse rw, + include if exists } include if exists diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 1014c2eb..3b5b79ad 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -38,7 +38,7 @@ profile aurpublish @{exec_path} { @{bin}/mv rix, @{bin}/nproc rix, @{bin}/rm rix, - @{bin}/sha512sum rix, + @{bin}/sha*sum rix, @{bin}/tput rix, @{bin}/wc rix, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index f3aa69db..b168c5f4 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -14,8 +14,11 @@ profile systemd-journald @{exec_path} { include capability audit_control, + capability audit_read, + capability chown, + capability dac_override, capability dac_read_search, - capability kill, + capability fowner, capability setgid, capability setuid, capability sys_admin, diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index b95ac50f..1c648152 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -12,6 +12,11 @@ profile ubuntu-report @{exec_path} { include include + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index c9f3ce12..84611002 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -47,6 +47,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/cgroup/kubepods/{,**} rw, + @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 6d742cb5..5f68dd21 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -36,7 +36,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner /tmp/_@{c}@{rand6} rw, + owner /tmp/*@{rand6} rw, owner /tmp/apparmor-bugreport-*.txt rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 6bb31c6c..31789330 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -12,6 +12,7 @@ profile cctk @{exec_path} { include capability mknod, + capability sys_admin, capability sys_rawio, @{exec_path} mr, @@ -19,6 +20,8 @@ profile cctk @{exec_path} { @{lib}/ r, /opt/dell/dcc/*.so* mr, /opt/dell/srvadmin/{,**} r, + /opt/dell/srvadmin/lib64/*.so* rm, + /opt/dell/srvadmin/var/lib/openmanage/.ipc/* rwk, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index b1ba9646..a98d64f7 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -20,6 +20,7 @@ profile install-info @{exec_path} { /usr/share/info/{,**} r, /usr/share/info/dir rw, + /usr/share/info/dir-@{rand6} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index e9c60aea..ee561900 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -65,6 +65,8 @@ profile s3fs @{exec_path} { @{PROC}/@{pids}/mounts r, /dev/fuse rw, + + include if exists } include if exists