From 9818daba5f40757e5cd5204c4234d38da9ef33ea Mon Sep 17 00:00:00 2001 From: Jeroen Date: Tue, 6 Sep 2022 23:01:17 +0200 Subject: [PATCH] LVM and general update (#68) * Small fixes * General update * Add LVM * Various small fixes * Add profile * Typo * sbin to regex * Date and time to extends * Read cmdline * Remove grep duplicate * Small fixes * Typo * Permissions for warning scripts * Add net_admin for multipath --- apparmor.d/groups/freedesktop/pulseaudio | 6 +- apparmor.d/groups/virt/cni-calico | 3 + apparmor.d/groups/virt/containerd | 15 ++-- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 28 ++++++++ apparmor.d/profiles-a-f/dkms | 69 ++++++++++--------- apparmor.d/profiles-a-f/dkms-autoinstaller | 1 + apparmor.d/profiles-a-f/dmeventd | 16 +++++ apparmor.d/profiles-a-f/fwupd | 6 +- apparmor.d/profiles-g-l/lvm | 39 +++++++++++ apparmor.d/profiles-g-l/lvmconfig | 20 ++++++ apparmor.d/profiles-g-l/lvmdump | 19 +++++ apparmor.d/profiles-g-l/lvmpolld | 22 ++++++ apparmor.d/profiles-m-r/pkttyagent | 1 + apparmor.d/profiles-s-z/smartd | 10 +++ apparmor.d/profiles-s-z/thermald | 7 +- .../profiles-s-z/update-secureboot-policy | 17 +++++ apparmor.d/profiles-s-z/zed | 1 + apparmor.d/tunables/extend | 4 ++ 19 files changed, 237 insertions(+), 49 deletions(-) create mode 100644 apparmor.d/profiles-a-f/blkdeactivate create mode 100644 apparmor.d/profiles-a-f/dmeventd create mode 100644 apparmor.d/profiles-g-l/lvm create mode 100644 apparmor.d/profiles-g-l/lvmconfig create mode 100644 apparmor.d/profiles-g-l/lvmdump create mode 100644 apparmor.d/profiles-g-l/lvmpolld create mode 100644 apparmor.d/profiles-s-z/update-secureboot-policy diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index f4cbcc34..d8404111 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -39,7 +39,7 @@ profile pulseaudio @{exec_path} { member={GetState,AddService,AddServiceSubtype,Commit} peer=(name=org.freedesktop.Avahi), - dbus receive bus=session path=/Client0/EntryGroup[0-9]* + dbus receive bus=system path=/Client0/EntryGroup[0-9]* interface=org.freedesktop.Avahi.EntryGroup member=StateChanged peer=(name=org.freedesktop.Avahi), @@ -102,8 +102,8 @@ profile pulseaudio @{exec_path} { member=Get peer=(name=/org/freedesktop/hostname[0-9]), - dbus send bus=system path=/org.freedesktop.hostname[0-9] - interface=org.freedesktop.DBus.Prope + dbus send bus=system path=/org/freedesktop/hostname[0-9] + interface=org.freedesktop.DBus.Properties member=Get peer=(name=/org/freedesktop/hostname[0-9]), diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 2789ee07..a7639096 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -31,6 +31,9 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/lib/calico/{,**} r, /var/log/calico/cni/ r, /var/log/calico/cni/cni.log rw, + /var/log/calico/cni/cni-@{date}T@{time}.[0-9]*.log rw, + + /usr/share/mime/globs2 r, @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 971dda22..112383cf 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -53,14 +53,15 @@ profile containerd @{exec_path} flags=(attach_disconnected) { / r, - /opt/cni/bin/loopback rPx, - /opt/cni/bin/portmap rPx, + /opt/cni/bin/loopback rPx, + /opt/cni/bin/portmap rPx, /opt/cni/bin/bandwidth rPx, - /opt/cni/bin/calico rPx, + /opt/cni/bin/calico rPx, - /etc/cni/ rw, - /etc/cni/{,**} r, - /etc/cni/net.d/ rw, + /etc/calico/ rw, + /etc/cni/ rw, + /etc/cni/{,**} r, + /etc/cni/net.d/ rw, /etc/containerd/*.toml r, /opt/containerd/{,**} rw, @@ -87,7 +88,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { owner /var/tmp/** rwkl, owner /tmp/** rwkl, /tmp/cri-containerd.apparmor.d[0-9]* rwl, - /tmp/ctd-volume[0-9]*/{data,} rw, + /tmp/ctd-volume[0-9]*/{data/,} rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 097aa2ec..0da4b4e4 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -26,7 +26,7 @@ profile k3s @{exec_path} { capability sys_resource, ptrace peer=@{profile_name}, - ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined}, + ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined}, # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix. diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate new file mode 100644 index 00000000..7f6de8b2 --- /dev/null +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/blkdeactivate +profile blkdeactivate @{exec_path} flags=(complain) { + include + include + + @{exec_path} rm, + /{usr/,}{s,}bin/dmsetup rPUx, + /{usr/,}bin/grep rix, + /{usr/,}bin/lsblk rPx, + /{usr/,}{s,}bin/lvm rPx, + /{usr/,}bin/sort rix, + /{usr/,}bin/umount rPx, + + @{sys}/devices/virtual/block/*/holders/ r, + + /dev/tty rw, + + include if exists +} + diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index c4ad0919..74ae713b 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -23,47 +23,46 @@ profile dkms @{exec_path} flags=(attach_disconnected) { unix (receive) type=stream, @{exec_path} r, - /{usr/,}bin/{,ba,da}sh rix, - - /{usr/,}bin/head rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/uname rix, - /{usr/,}bin/nproc rix, - /{usr/,}bin/mktemp rix, - /{usr/,}bin/cut rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/sed rix, - /{usr/,}bin/readlink rix, - /{usr/,}bin/diff rix, - /{usr/,}bin/wc rix, - /{usr/,}bin/rmdir rix, - /{usr/,}bin/find rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/{,g,m}awk rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/date rix, - /{usr/,}bin/ln rix, - /{usr/,}bin/mkdir rix, - /{usr/,}bin/mv rix, /{usr/,}bin/cat rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/cut rix, + /{usr/,}bin/date rix, + /{usr/,}bin/diff rix, /{usr/,}bin/echo rix, - /{usr/,}bin/pwd rix, + /{usr/,}bin/find rix, /{usr/,}bin/getconf rix, - /{usr/,}bin/xargs rix, - - /{usr/,}bin/make rix, - /{usr/,}bin/{,@{multiarch}-}* rix, - /{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix, - /{usr/,}lib/llvm-[0-9]*/bin/clang rix, - - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/head rix, + /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/ln rix, + /{usr/,}bin/ls rix, /{usr/,}bin/lsb_release rPx -> lsb_release, + /{usr/,}bin/make rix, + /{usr/,}bin/mkdir rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/mv rix, + /{usr/,}bin/nproc rix, + /{usr/,}bin/pwd rix, + /{usr/,}bin/readlink rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/rmdir rix, + /{usr/,}bin/sed rix, + /{usr/,}bin/uname rix, + /{usr/,}bin/wc rix, + /{usr/,}bin/xargs rix, + /{usr/,}bin/{,@{multiarch}-}* rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e,f}grep rix, + /{usr/,}bin/{,g,m}awk rix, + /{usr/,}{,s}bin/update-secureboot-policy rPUx, - /{usr/,}lib/linux-kbuild-*/scripts/** rix, - /{usr/,}lib/modules/*/build/scripts/** rix, - /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix, + /{usr/,}lib/gcc/@{multiarch}/[0-9]*/* rix, + /{usr/,}lib/linux-kbuild-*/scripts/** rix, + /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix, + /{usr/,}lib/llvm-[0-9]*/bin/clang rix, + /{usr/,}lib/modules/*/build/scripts/** rix, /{usr/,}lib/modules/*/build/tools/objtool/objtool rix, + /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, / r, @@ -113,6 +112,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, + /etc/depmod.d/{,*} r, + /{usr/,}lib/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko r, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index 677acfbb..511ed2ad 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -25,6 +25,7 @@ profile dkms-autoinstaller @{exec_path} { # For shell pwd / r, + owner @{PROC}/cmdline r, profile run-parts { include diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd new file mode 100644 index 00000000..d0b2b7ed --- /dev/null +++ b/apparmor.d/profiles-a-f/dmeventd @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/dmeventd +profile dmeventd @{exec_path} flags=(complain) { + include + + @{exec_path} rm, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index e7d3b197..045dfdad 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd profile fwupd @{exec_path} flags=(complain,attach_disconnected) { include + include include include include @@ -37,7 +38,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties - member=GetAll, + member={Changed,GetAll}, dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* interface=org.freedesktop.DBus.Properties @@ -52,7 +53,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { member=GetAll, dbus receive bus=system path=/ - interface=org.freedesktop.fwupd, + interface=org.freedesktop.fwupd + member=Changed, dbus receive bus=system path=/ interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm new file mode 100644 index 00000000..31cbff60 --- /dev/null +++ b/apparmor.d/profiles-g-l/lvm @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/lvm +profile lvm @{exec_path} flags=(complain) { + include + include + include + include + + capability sys_admin, + capability sys_nice, + capability net_admin, + + @{exec_path} rm, + + /etc/lvm/** r, + + @{run}/lvm/** rwk, + @{run}/lock/lvm/* rwk, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/devices/virtual/bdi/**/read_ahead_kb r, + + @{PROC}/devices r, + owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + + /dev/mapper/control rw, + + include if exists +} diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig new file mode 100644 index 00000000..ad5922e9 --- /dev/null +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/lvmconfig +profile lvmconfig @{exec_path} flags=(complain) { + include + include + + @{exec_path} rm, + + /etc/lvm/** rw, + + include if exists +} + diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/profiles-g-l/lvmdump new file mode 100644 index 00000000..991f2570 --- /dev/null +++ b/apparmor.d/profiles-g-l/lvmdump @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/lvmdump +profile lvmdump @{exec_path} flags=(complain) { + include + include + include + + @{exec_path} rm, + + include if exists +} + diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld new file mode 100644 index 00000000..39758a73 --- /dev/null +++ b/apparmor.d/profiles-g-l/lvmpolld @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/lvmpolld +profile lvmpolld @{exec_path} flags=(complain) { + include + include + include + + @{exec_path} rm, + /{usr/,}bin/grep rix, + /{usr/,}bin/umount rPx, + + @{run}/lvmpolld.pid rwk, + + include if exists +} diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent index fb894967..021c1292 100644 --- a/apparmor.d/profiles-m-r/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/pkttyagent profile pkttyagent @{exec_path} { include + include include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index ac1aeb0d..9298c081 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -11,6 +11,7 @@ include profile smartd @{exec_path} { include include + include # To remove the following errors: # Device: /dev/disk/by-id/ata-*, IE (SMART) not enabled, skip device @@ -24,6 +25,14 @@ profile smartd @{exec_path} { deny capability net_admin, @{exec_path} mr, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/hostname rix, + /{usr/,}bin/mail rix, + /{usr/,}bin/mktemp rix, + /{usr/,}bin/run-parts rix, + /usr/share/smartmontools/{smartd-runner,smartd_warning.sh} rix, + /etc/smartmontools/run.d/* rix, /etc/smartd.conf r, @@ -42,6 +51,7 @@ profile smartd @{exec_path} { @{PROC}/devices r, /run/systemd/notify rw, + /tmp/tmp.* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 5bf27dac..ba8a7d76 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -14,9 +14,12 @@ profile thermald @{exec_path} { capability sys_boot, - dbus (bind) - bus=system + dbus (bind) bus=system name=org.freedesktop.thermald, + + dbus (send) bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy new file mode 100644 index 00000000..5ed5c896 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{,s}bin/update-secureboot-policy +profile update-secureboot-policy @{exec_path} flags=(complain) { + include + + @{exec_path} rm, + /usr/share/debconf/frontend rPx, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index 8994f68d..e75951e6 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -45,6 +45,7 @@ profile zed @{exec_path} { @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/[0-9]*/address r, + @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend index dcb7759d..7614e1ab 100644 --- a/apparmor.d/tunables/extend +++ b/apparmor.d/tunables/extend @@ -12,6 +12,10 @@ # Hexadecimal @{hex}=[0-9a-fA-F]* +# Date and time +@{date}=[0-9][0-9][0-9][0-9]-[1-12]-[1-31] +@{time}=[1-24]-[0-60]-[0-60] + # @{MOUNTDIRS} is a space-separated list of where user mount directories # are stored, for programs that must enumerate all mount directories on a # system.