feat(abs): add the pkexec app abs.

2024-11-14 23:43:56 +01:00 · 2024-09-20 23:24:15 +01:00 · 2024-09-20 23:24:15 +01:00 · 96defe021c
commit 96defe021c
parent 7a3a1f7725
8 changed files with 85 additions and 36 deletions
--- a/apparmor.d/abstractions/app/pkexec
+++ b/apparmor.d/abstractions/app/pkexec
@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Minimal set of rules for pkexec.
+
+  include <abstractions/authentication>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+
+  capability audit_write,
+  capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+  capability setgid,
+  capability setuid,
+  capability sys_resource,
+
+  network netlink raw,   # PAM
+
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
+
+  @{bin}/pkexec    mr,
+
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*} r,
+  /etc/shells r,
+
+  owner @{PROC}/@{pid}/loginuid r,
+
+  owner /dev/tty@{int} rw,
+
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
+  include if exists <abstractions/app/pkexec.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@ -48,7 +48,7 @@ profile synaptic @{exec_path} {
  @{bin}/dpkg-preconfigure  rPx,
  @{bin}/localepurge        rPx,
  @{bin}/lsb_release        rPx -> lsb_release,
-  @{bin}/pkexec             rPx,
+  @{bin}/pkexec             rCx -> pkexec,
  @{bin}/ps                 rPx,
  @{bin}/software-properties-gtk rPx,
  @{bin}/tasksel            rPx,
@ -110,6 +110,13 @@ profile synaptic @{exec_path} {
  deny @{bin}/gdbus x,
  deny @{user_share_dirs}/gvfs-metadata/{*,} r,

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/synaptic_pkexec>
+  }
+
  include if exists <local/synaptic>
 }

--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -82,8 +82,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {

  profile pkexec {
    include <abstractions/base>
-
-    @{bin}/pkexec mr,
+    include <abstractions/app/pkexec>

    include if exists <local/gnome-system-monitor_pkexec>
  }
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -48,7 +48,7 @@ profile apport-gtk @{exec_path} {
  @{bin}/ldd                    rix,
  @{bin}/lsb_release            rPx -> lsb_release,
  @{bin}/md5sum                 rix,
-  @{bin}/pkexec                 rPx, # TODO: rCx or something
+  @{bin}/pkexec                 rCx -> pkexec,
  @{bin}/systemctl              rCx -> systemctl,
  @{bin}/systemd-detect-virt    rPx,
  @{bin}/uname                  rix,
@ -124,6 +124,13 @@ profile apport-gtk @{exec_path} {
    include if exists <local/apport-gtk_gdb>
  }

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/apport-gtk_pkexec>
+  }
+
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -53,7 +53,7 @@ profile update-notifier @{exec_path} {

  @{bin}/dpkg                                    rPx -> child-dpkg,
  @{bin}/lsb_release                             rPx -> lsb_release,
-  @{bin}/pkexec                                  rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked
+  @{bin}/pkexec                                  rCx -> pkexec,
  @{bin}/snap                                   rPUx,
  @{bin}/software-properties-gtk                 rPx,
  @{bin}/systemctl                               rCx -> systemctl,
@ -85,6 +85,15 @@ profile update-notifier @{exec_path} {
        @{PROC}/@{pids}/mountinfo r,
  owner @{PROC}/@{pid}/fd/ r,

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    @{lib}/update-notifier/package-system-locked Px,
+
+    include if exists <local/update-notifier_pkexec>
+  }
+
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@ -29,7 +29,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
  @{bin}/flatpak                       rPx,
  @{bin}/getent                        rix,
  @{bin}/p11-kit                       rix,
-  @{bin}/pkexec                        rPx, # TODO: too wide, rCx.
+  @{bin}/pkexec                        rCx -> pkexec,
  @{bin}/printenv                      rix,
  @{bin}/ps                            rPx,
  @{bin}/test                          rix,
@ -46,6 +46,13 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {

  /dev/ptmx rw,

+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/flatpak-session-helper_pkexec>
+  }
+
  include if exists <local/flatpak-session-helper>
 }

--- a/apparmor.d/profiles-g-l/gsmartcontrol-root
+++ b/apparmor.d/profiles-g-l/gsmartcontrol-root
@ -17,7 +17,14 @@ profile gsmartcontrol-root @{exec_path} {

  @{bin}/which{,.debianutils}      rix,

-  @{bin}/pkexec     rPx,
+  @{bin}/pkexec     rCx -> pkexec,
+
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/gsmartcontrol-root_pkexec>
+  }

  include if exists <local/gsmartcontrol-root>
 }
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@ -8,31 +8,16 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/pkexec
-profile pkexec @{exec_path} {
+profile pkexec @{exec_path} flags=(complain) {
  include <abstractions/base>
-  include <abstractions/authentication>
-  include <abstractions/bus-system>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-  include <abstractions/wutmp>
+  include <abstractions/app/pkexec>

-  capability audit_write,
-  capability dac_read_search,
-  capability net_admin,
-  capability setgid,  # gdbus
-  capability setuid,  # gmain
-  capability sys_ptrace,
-  capability sys_resource,
-  audit deny capability sys_nice,
-
-  network netlink raw,
+  audit capability sys_nice,

  signal (send) set=(term, kill) peer=polkit-agent-helper,

  ptrace (read),

-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
-
  @{exec_path} mr,

  @{bin}/*       PUx,
@ -40,22 +25,11 @@ profile pkexec @{exec_path} {
  /opt/*/**      PUx,
  /usr/share/**  PUx,

-  @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/{,*} r,
  /etc/default/locale r,
-  /etc/shells r,

        @{PROC}/@{pid}/fdinfo/@{int} r,
        @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/loginuid r,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
-  owner @{HOME}/.xsession-errors w,
-
-  # Silencer
-  deny @{user_share_dirs}/gvfs-metadata/* r,

  include if exists <local/pkexec>
 }