Rewrite the profile for ufw

2025-01-19 01:18:16 +01:00 · 2024-08-27 21:00:20 +08:00 · 2024-08-27 21:00:20 +08:00 · 7716c8a191
commit 7716c8a191
parent d5ee5c51cb
1 changed files with 9 additions and 14 deletions
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@ -8,8 +8,9 @@ include <tunables/global>

@{exec_path} = @{bin}/ufw
 profile ufw @{exec_path} {
-
    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/python>

    capability dac_read_search,
    capability net_admin,
@ -21,34 +22,28 @@ profile ufw @{exec_path} {
    @{exec_path} mr,

    @{bin}/ r,
-    @{bin}/python3* ix,
+    @{bin}/env r,
+    @{bin}/python3.@{int} ix,
    @{bin}/cat ix,
    @{bin}/xtables-nft-multi ix,

    @{lib}/ufw/ufw-init ix,

-    @{PROC}/@{pid}/stat r,
-    @{PROC}/@{pid}/fd/ r,
-    @{PROC}/@{pid}/net/ip_tables_names r,
-
-    owner @{bin}/env r,
-
    /etc/ufw/{,**} rwk,

    /etc/default/ufw r,

-    /run/ufw.lock wk,
-
-    /etc/gai.conf r,
-    /etc/nsswitch.conf r,
-    /etc/passwd r,
-    /etc/services r,
+    @{run}/ufw.lock rwk,

    /var/tmp/@{rand8} rw,
    /var/tmp/tmp* rw,
    /tmp/@{rand8} rw,
    /tmp/tmp* rw,

+    @{PROC}/@{pid}/stat r,
+    @{PROC}/@{pid}/fd/ r,
+    @{PROC}/@{pid}/net/ip_tables_names r,
+
    /dev/pts/[0-9]* rw,
    /dev/tty rw,