mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(abs): add the pkexec app abs.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-09-20 23:24:15 +01:00
parent 7a3a1f7725
commit 96defe021c
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
8 changed files with 85 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
apparmor.d/abstractions/app/pkexec Normal file
View File

@ -0,0 +1,39 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Minimal set of rules for pkexec.
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability audit_write,
capability dac_override,
capability dac_read_search,
capability net_admin,
capability setgid,
capability setuid,
capability sys_resource,
network netlink raw, # PAM
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
@{bin}/pkexec mr,
@{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r,
/etc/shells r,
owner @{PROC}/@{pid}/loginuid r,
owner /dev/tty@{int} rw,
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <abstractions/app/pkexec.d>
# vim:syntax=apparmor

9
apparmor.d/groups/apt/synaptic
View File

@ -48,7 +48,7 @@ profile synaptic @{exec_path} {
@{bin}/dpkg-preconfigure rPx, @{bin}/dpkg-preconfigure rPx,
@{bin}/localepurge rPx, @{bin}/localepurge rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/pkexec rPx, @{bin}/pkexec rCx -> pkexec,
@{bin}/ps rPx, @{bin}/ps rPx,
@{bin}/software-properties-gtk rPx, @{bin}/software-properties-gtk rPx,
@{bin}/tasksel rPx, @{bin}/tasksel rPx,
@ -110,6 +110,13 @@ profile synaptic @{exec_path} {
deny @{bin}/gdbus x, deny @{bin}/gdbus x,
deny @{user_share_dirs}/gvfs-metadata/{*,} r, deny @{user_share_dirs}/gvfs-metadata/{*,} r,
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
include if exists <local/synaptic_pkexec>
}
include if exists <local/synaptic> include if exists <local/synaptic>
} }

3
apparmor.d/groups/gnome/gnome-system-monitor
View File

@ -82,8 +82,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
profile pkexec { profile pkexec {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/pkexec>
@{bin}/pkexec mr,
include if exists <local/gnome-system-monitor_pkexec> include if exists <local/gnome-system-monitor_pkexec>
} }

9
apparmor.d/groups/ubuntu/apport-gtk
View File

@ -48,7 +48,7 @@ profile apport-gtk @{exec_path} {
@{bin}/ldd rix, @{bin}/ldd rix,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/md5sum rix, @{bin}/md5sum rix,
@{bin}/pkexec rPx, # TODO: rCx or something @{bin}/pkexec rCx -> pkexec,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/uname rix, @{bin}/uname rix,
@ -124,6 +124,13 @@ profile apport-gtk @{exec_path} {
include if exists <local/apport-gtk_gdb> include if exists <local/apport-gtk_gdb>
} }
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
include if exists <local/apport-gtk_pkexec>
}
profile systemctl { profile systemctl {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/systemctl> include <abstractions/app/systemctl>

11
apparmor.d/groups/ubuntu/update-notifier
View File

@ -53,7 +53,7 @@ profile update-notifier @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/pkexec rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked @{bin}/pkexec rCx -> pkexec,
@{bin}/snap rPUx, @{bin}/snap rPUx,
@{bin}/software-properties-gtk rPx, @{bin}/software-properties-gtk rPx,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@ -85,6 +85,15 @@ profile update-notifier @{exec_path} {
@{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mountinfo r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
@{lib}/update-notifier/package-system-locked Px,
include if exists <local/update-notifier_pkexec>
}
profile systemctl { profile systemctl {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/systemctl> include <abstractions/app/systemctl>

9
apparmor.d/profiles-a-f/flatpak-session-helper
View File

@ -29,7 +29,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
@{bin}/flatpak rPx, @{bin}/flatpak rPx,
@{bin}/getent rix, @{bin}/getent rix,
@{bin}/p11-kit rix, @{bin}/p11-kit rix,
@{bin}/pkexec rPx, # TODO: too wide, rCx. @{bin}/pkexec rCx -> pkexec,
@{bin}/printenv rix, @{bin}/printenv rix,
@{bin}/ps rPx, @{bin}/ps rPx,
@{bin}/test rix, @{bin}/test rix,
@ -46,6 +46,13 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
/dev/ptmx rw, /dev/ptmx rw,
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
include if exists <local/flatpak-session-helper_pkexec>
}
include if exists <local/flatpak-session-helper> include if exists <local/flatpak-session-helper>
} }

9
apparmor.d/profiles-g-l/gsmartcontrol-root
View File

@ -17,7 +17,14 @@ profile gsmartcontrol-root @{exec_path} {
@{bin}/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
@{bin}/pkexec rPx, @{bin}/pkexec rCx -> pkexec,
profile pkexec {
include <abstractions/base>
include <abstractions/app/pkexec>
include if exists <local/gsmartcontrol-root_pkexec>
}
include if exists <local/gsmartcontrol-root> include if exists <local/gsmartcontrol-root>
} }

32
apparmor.d/profiles-m-r/pkexec
View File

@ -8,31 +8,16 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/pkexec @{exec_path} = @{bin}/pkexec
profile pkexec @{exec_path} { profile pkexec @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/authentication> include <abstractions/app/pkexec>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability audit_write, audit capability sys_nice,
capability dac_read_search,
capability net_admin,
capability setgid, # gdbus
capability setuid, # gmain
capability sys_ptrace,
capability sys_resource,
audit deny capability sys_nice,
network netlink raw,
signal (send) set=(term, kill) peer=polkit-agent-helper, signal (send) set=(term, kill) peer=polkit-agent-helper,
ptrace (read), ptrace (read),
#aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
@{exec_path} mr, @{exec_path} mr,
@{bin}/* PUx, @{bin}/* PUx,
@ -40,22 +25,11 @@ profile pkexec @{exec_path} {
/opt/*/** PUx, /opt/*/** PUx,
/usr/share/** PUx, /usr/share/** PUx,
@{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r,
/etc/default/locale r, /etc/default/locale r,
/etc/shells r,
@{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/fdinfo/@{int} r,
@{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/loginuid r,
# file_inherit
owner /dev/tty@{int} rw,
owner @{HOME}/.xsession-errors w,
# Silencer
deny @{user_share_dirs}/gvfs-metadata/* r,
include if exists <local/pkexec> include if exists <local/pkexec>
} }