LVM and general update (#68)

* Small fixes * General update * Add LVM * Various small fixes * Add profile * Typo * sbin to regex * Date and time to extends * Read cmdline * Remove grep duplicate * Small fixes * Typo * Permissions for warning scripts * Add net_admin for multipath
2025-01-29 22:35:15 +01:00 · 2022-09-06 23:01:17 +02:00 · 2022-09-06 23:01:17 +02:00 · 9818daba5f
commit 9818daba5f
parent 1649b427f8
19 changed files with 237 additions and 49 deletions
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -39,7 +39,7 @@ profile pulseaudio @{exec_path} {
       member={GetState,AddService,AddServiceSubtype,Commit}
       peer=(name=org.freedesktop.Avahi),

-  dbus receive bus=session path=/Client0/EntryGroup[0-9]*
+  dbus receive bus=system path=/Client0/EntryGroup[0-9]*
       interface=org.freedesktop.Avahi.EntryGroup
       member=StateChanged
       peer=(name=org.freedesktop.Avahi),
@ -102,8 +102,8 @@ profile pulseaudio @{exec_path} {
       member=Get
       peer=(name=/org/freedesktop/hostname[0-9]),

-  dbus send bus=system path=/org.freedesktop.hostname[0-9]
-       interface=org.freedesktop.DBus.Prope
+  dbus send bus=system path=/org/freedesktop/hostname[0-9]
+       interface=org.freedesktop.DBus.Properties
       member=Get
       peer=(name=/org/freedesktop/hostname[0-9]),

--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@ -31,6 +31,9 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
  /var/lib/calico/{,**} r,
  /var/log/calico/cni/ r,
  /var/log/calico/cni/cni.log rw,
+  /var/log/calico/cni/cni-@{date}T@{time}.[0-9]*.log rw,
+  
+  /usr/share/mime/globs2 r,
  
  @{run}/calico/ rw,
  @{run}/calico/ipam.lock rwk,
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -53,14 +53,15 @@ profile containerd @{exec_path} flags=(attach_disconnected) {

  / r,

-  /opt/cni/bin/loopback rPx,
-  /opt/cni/bin/portmap rPx,
+  /opt/cni/bin/loopback  rPx,
+  /opt/cni/bin/portmap   rPx,
  /opt/cni/bin/bandwidth rPx,
-  /opt/cni/bin/calico rPx,
+  /opt/cni/bin/calico    rPx,

-  /etc/cni/              rw,
-  /etc/cni/{,**}         r,
-  /etc/cni/net.d/        rw,
+  /etc/calico/ rw,
+  /etc/cni/ rw,
+  /etc/cni/{,**} r,
+  /etc/cni/net.d/ rw,
  /etc/containerd/*.toml r,

  /opt/containerd/{,**} rw,
@ -87,7 +88,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  owner /var/tmp/** rwkl,
  owner /tmp/** rwkl,
        /tmp/cri-containerd.apparmor.d[0-9]* rwl,
-        /tmp/ctd-volume[0-9]*/{data,} rw,
+        /tmp/ctd-volume[0-9]*/{data/,} rw,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/profiles r,
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@ -26,7 +26,7 @@ profile k3s @{exec_path} {
  capability sys_resource,

  ptrace peer=@{profile_name},
-  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
+  ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined},

  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
  # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
--- a/apparmor.d/profiles-a-f/blkdeactivate
+++ b/apparmor.d/profiles-a-f/blkdeactivate
@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/blkdeactivate
+profile blkdeactivate @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} rm,
+  /{usr/,}{s,}bin/dmsetup rPUx,
+  /{usr/,}bin/grep rix,
+  /{usr/,}bin/lsblk rPx,
+  /{usr/,}{s,}bin/lvm rPx,
+  /{usr/,}bin/sort rix,
+  /{usr/,}bin/umount rPx,
+
+  @{sys}/devices/virtual/block/*/holders/ r,
+
+  /dev/tty rw,
+
+  include if exists <local/blkdeactivate>
+}
+
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -23,47 +23,46 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  unix (receive) type=stream,

  @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh rix,
-
-  /{usr/,}bin/head       rix,
-  /{usr/,}bin/ls         rix,
-  /{usr/,}bin/uname      rix,
-  /{usr/,}bin/nproc      rix,
-  /{usr/,}bin/mktemp     rix,
-  /{usr/,}bin/cut        rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/diff       rix,
-  /{usr/,}bin/wc         rix,
-  /{usr/,}bin/rmdir      rix,
-  /{usr/,}bin/find       rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/{,g,m}awk  rix,
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/date       rix,
-  /{usr/,}bin/ln         rix,
-  /{usr/,}bin/mkdir      rix,
-  /{usr/,}bin/mv         rix,
  /{usr/,}bin/cat        rix,
+  /{usr/,}bin/cp         rix,
+  /{usr/,}bin/cut        rix,
+  /{usr/,}bin/date       rix,
+  /{usr/,}bin/diff       rix,
  /{usr/,}bin/echo       rix,
-  /{usr/,}bin/pwd        rix,
+  /{usr/,}bin/find       rix,
  /{usr/,}bin/getconf    rix,
-  /{usr/,}bin/xargs      rix,
-
-  /{usr/,}bin/make                             rix,
-  /{usr/,}bin/{,@{multiarch}-}*                rix,
-  /{usr/,}lib/gcc/@{multiarch}/[0-9]*/*        rix,
-  /{usr/,}lib/llvm-[0-9]*/bin/clang            rix,
-
-  /{usr/,}bin/kmod        rCx -> kmod,
+  /{usr/,}bin/head       rix,
+  /{usr/,}bin/kmod       rCx -> kmod,
+  /{usr/,}bin/ln         rix,
+  /{usr/,}bin/ls         rix,
  /{usr/,}bin/lsb_release rPx -> lsb_release,
+  /{usr/,}bin/make       rix,
+  /{usr/,}bin/mkdir      rix,
+  /{usr/,}bin/mktemp     rix,
+  /{usr/,}bin/mv         rix,
+  /{usr/,}bin/nproc      rix,
+  /{usr/,}bin/pwd        rix,
+  /{usr/,}bin/readlink   rix,
+  /{usr/,}bin/rm         rix,
+  /{usr/,}bin/rmdir      rix,
+  /{usr/,}bin/sed        rix,
+  /{usr/,}bin/uname      rix,
+  /{usr/,}bin/wc         rix,
+  /{usr/,}bin/xargs      rix,
+  /{usr/,}bin/{,@{multiarch}-}* rix,
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}bin/{,e,f}grep rix,
+  /{usr/,}bin/{,g,m}awk  rix,
+  /{usr/,}{,s}bin/update-secureboot-policy rPUx,

-  /{usr/,}lib/linux-kbuild-*/scripts/** rix,
-  /{usr/,}lib/modules/*/build/scripts/** rix,
-  /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
+  /{usr/,}lib/gcc/@{multiarch}/[0-9]*/*             rix,
+  /{usr/,}lib/linux-kbuild-*/scripts/**             rix,
+  /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool  rix,
+  /{usr/,}lib/llvm-[0-9]*/bin/clang                 rix,
+  /{usr/,}lib/modules/*/build/scripts/**            rix,
  /{usr/,}lib/modules/*/build/tools/objtool/objtool rix,

+  /var/lib/dkms/**/configure rix,
  /var/lib/dkms/**/dkms.postbuild rix,

  / r,
@ -113,6 +112,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {

    @{PROC}/cmdline r,

+    /etc/depmod.d/{,*} r,
+
    /{usr/,}lib/modules/*/modules.* rw,
    /var/lib/dkms/**/module/*.ko r,

--- a/apparmor.d/profiles-a-f/dkms-autoinstaller
+++ b/apparmor.d/profiles-a-f/dkms-autoinstaller
@ -25,6 +25,7 @@ profile dkms-autoinstaller @{exec_path} {
  # For shell pwd
  / r,

+  owner @{PROC}/cmdline r,

  profile run-parts {
    include <abstractions/base>
--- a/apparmor.d/profiles-a-f/dmeventd
+++ b/apparmor.d/profiles-a-f/dmeventd
@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/dmeventd
+profile dmeventd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rm,
+
+  include if exists <local/dmeventd>
+}
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd
 profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
@ -37,7 +38,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {

  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+       member={Changed,GetAll},

  dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
       interface=org.freedesktop.DBus.Properties
@ -52,7 +53,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
       member=GetAll,

  dbus receive bus=system path=/
-       interface=org.freedesktop.fwupd,
+       interface=org.freedesktop.fwupd
+       member=Changed,

  dbus receive bus=system path=/
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/lvm
+profile lvm @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+  include <abstractions/disks-write>
+
+  capability sys_admin,
+  capability sys_nice,
+  capability net_admin,
+
+  @{exec_path} rm,
+
+  /etc/lvm/** r,
+
+  @{run}/lvm/** rwk,
+  @{run}/lock/lvm/* rwk,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
+
+        @{PROC}/devices r,
+  owner @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/mapper/control rw,
+
+  include if exists <local/lvm>
+}
--- a/apparmor.d/profiles-g-l/lvmconfig
+++ b/apparmor.d/profiles-g-l/lvmconfig
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/lvmconfig
+profile lvmconfig @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  /etc/lvm/** rw,
+
+  include if exists <local/lvmconfig>
+}
+
--- a/apparmor.d/profiles-g-l/lvmdump
+++ b/apparmor.d/profiles-g-l/lvmdump
@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/lvmdump
+profile lvmdump @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+
+  @{exec_path} rm,
+
+  include if exists <local/lvmdump>
+}
+
--- a/apparmor.d/profiles-g-l/lvmpolld
+++ b/apparmor.d/profiles-g-l/lvmpolld
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/lvmpolld
+profile lvmpolld @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} rm,
+  /{usr/,}bin/grep rix,
+  /{usr/,}bin/umount rPx,
+
+  @{run}/lvmpolld.pid rwk,
+
+  include if exists <local/lvmpolld>
+}
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pkttyagent
 profile pkttyagent @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

--- a/apparmor.d/profiles-s-z/smartd
+++ b/apparmor.d/profiles-s-z/smartd
@ -11,6 +11,7 @@ include <tunables/global>
 profile smartd @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>

  # To remove the following errors:
  #  Device: /dev/disk/by-id/ata-*, IE (SMART) not enabled, skip device
@ -24,6 +25,14 @@ profile smartd @{exec_path} {
  deny capability net_admin,

  @{exec_path} mr,
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}bin/cat        rix,
+  /{usr/,}bin/hostname   rix,
+  /{usr/,}bin/mail       rix,
+  /{usr/,}bin/mktemp     rix,
+  /{usr/,}bin/run-parts  rix,
+  /usr/share/smartmontools/{smartd-runner,smartd_warning.sh} rix,
+  /etc/smartmontools/run.d/* rix,

  /etc/smartd.conf r,

@ -42,6 +51,7 @@ profile smartd @{exec_path} {
  @{PROC}/devices r,

  /run/systemd/notify rw,
+  /tmp/tmp.* rw,

  include if exists <local/smartd>
 }
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@ -14,9 +14,12 @@ profile thermald @{exec_path} {

  capability sys_boot,

-  dbus (bind)
-     bus=system
+  dbus (bind) bus=system
     name=org.freedesktop.thermald,
+  
+  dbus (send) bus=system path=/org/freedesktop/DBus
+     interface=org.freedesktop.DBus
+     member=RequestName,

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/update-secureboot-policy
+++ b/apparmor.d/profiles-s-z/update-secureboot-policy
@ -0,0 +1,17 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{,s}bin/update-secureboot-policy
+profile update-secureboot-policy @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rm,
+  /usr/share/debconf/frontend rPx,
+
+  include if exists <local/update-secureboot-policy>
+}
--- a/apparmor.d/profiles-s-z/zed
+++ b/apparmor.d/profiles-s-z/zed
@ -45,6 +45,7 @@ profile zed @{exec_path} {

  @{sys}/bus/pci/slots/ r,
  @{sys}/bus/pci/slots/[0-9]*/address r,
+  @{sys}/module/zfs/parameters/zfs_zevent_len_max rw,
  
        @{PROC}/@{pids}/mounts r,
  owner @{PROC}/@{pids}/fd/ r,
--- a/apparmor.d/tunables/extend
+++ b/apparmor.d/tunables/extend
@ -12,6 +12,10 @@
 # Hexadecimal
@{hex}=[0-9a-fA-F]*

+# Date and time
+@{date}=[0-9][0-9][0-9][0-9]-[1-12]-[1-31]
+@{time}=[1-24]-[0-60]-[0-60]
+
 # @{MOUNTDIRS} is a space-separated list of where user mount directories
 # are stored, for programs that must enumerate all mount directories on a
 # system.