From b223e2eb8e9ba676c642a06833f577750cb0c496 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Sep 2024 20:36:23 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/browsers/chromium-wrapper | 3 -- apparmor.d/groups/freedesktop/xdg-mime | 5 +-- apparmor.d/groups/network/socat | 34 ++++++++---------- apparmor.d/groups/ssh/ssh-agent | 5 +-- apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/virt/cockpit-bridge | 39 ++++++++++++++++----- apparmor.d/groups/virt/cockpit-session | 5 +-- apparmor.d/groups/virt/libvirtd | 8 ++--- apparmor.d/groups/virt/qemu-bridge-helper | 35 ++++++++++++++++++ apparmor.d/profiles-g-l/git | 3 -- apparmor.d/profiles-s-z/smartd | 2 -- apparmor.d/profiles-s-z/virt-manager | 8 ++--- dists/flags/main.flags | 2 +- 13 files changed, 98 insertions(+), 53 deletions(-) create mode 100644 apparmor.d/groups/virt/qemu-bridge-helper diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index 4368d6b2..9300e46e 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -40,11 +40,8 @@ profile chromium-wrapper @{exec_path} { owner @{HOME}/.xsession-errors w, owner @{tmp}/chromiumargs.@{rand6} rw, - owner @{tmp}/tmp.*/ rw, - owner @{tmp}/tmp.*/** rwk, owner /dev/tty@{int} rw, - /dev/dri/card[0-9] rw, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 1a217a2b..28c1836c 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -53,11 +53,11 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r, @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r, + @{PROC}/version r, + /dev/dri/card@{int} rw, /dev/tty rw, - @{PROC}/version r, - # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two # following root processes: # dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr @@ -82,6 +82,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { @{HOME}/.Xauthority r, owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w, + include if exists } include if exists diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat index df5e874d..8ffa2f9b 100644 --- a/apparmor.d/groups/network/socat +++ b/apparmor.d/groups/network/socat @@ -1,7 +1,7 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol # Copyright (C) 2024 Nishit Majithia (nishitm) # SPDX-License-Identifier: GPL-2.0-only -# vim: ft=apparmor abi , @@ -10,19 +10,19 @@ include @{exec_path} = @{bin}/socat profile socat @{exec_path} { include + include include include - include - capability dac_read_search, - capability dac_override, - capability net_raw, - capability net_admin, - capability sys_module, - capability sys_admin, - capability fsetid, capability chown, + capability dac_override, + capability dac_read_search, + capability fsetid, + capability net_admin, capability net_bind_service, + capability net_raw, + capability sys_admin, + capability sys_module, capability sys_resource, # Allow creation of network sockets and `socat` uses dccp for some @@ -31,19 +31,13 @@ profile socat @{exec_path} { @{exec_path} mr, - # Enale /dev/ptmx access for testsuite - # /dev/ptmx rw, - - # TUN/TAP device - /dev/net/tun rw, - - # Process-specific access @{PROC}/@{pid}/fdinfo/@{int} rw, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/stat r, - # For bi-directional communication between vms and host/hypervisor - /dev/vsock r, + /dev/net/tun rw, + /dev/vsock r, # For bi-directional communication between vms and host/hypervisor - # Site-specific additions and overrides. See local/README for details. include if exists } + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index ec82ea1b..d6dc9044 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -12,8 +12,8 @@ profile ssh-agent @{exec_path} { include include - signal (receive) set=term peer=cockpit-bridge, - signal (receive) set=term peer=gnome-keyring-daemon, + signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, @@ -34,6 +34,7 @@ profile ssh-agent @{exec_path} { owner @{run}/user/@{uid}/gcr/.ssh w, /dev/tty@{int} rw, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 39fcd988..52e6f089 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-hostnamed -profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { +profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 3da2c19e..a2b77349 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -22,33 +22,44 @@ profile cockpit-bridge @{exec_path} { network inet stream, network inet6 dgram, network inet6 stream, + network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=term peer=cockpit-pcp, - signal (send) set=term peer=dbus-daemon, - signal (send) set=term peer=journalctl, - signal (send) set=term peer=ssh-agent, - signal (send) set=term peer=sudo, - signal (send) set=term peer=unconfined, + signal send set=term peer=cockpit-pcp, + signal send set=term peer=dbus-daemon, + signal send set=term peer=journalctl, + signal send set=term peer=ssh-agent, + signal send set=term peer=sudo, + signal send set=term peer=unconfined, @{exec_path} mr, @{bin}/cat ix, @{bin}/date ix, + @{bin}/find ix, + @{bin}/ip ix, + @{bin}/python3.@{int} ix, + @{bin}/test ix, + @{bin}/findmnt Px, @{bin}/journalctl Px, - @{bin}/python3.@{int} ix, + @{bin}/lastlog Px, + @{bin}/passwd Px, @{bin}/ssh-agent Px, @{bin}/sudo Px, # TODO: rCx -> privilieged ? or rix? + @{bin}/udevadm Cx -> udevadm, + @{bin}/virt-install PUx, # TODO: rPx @{lib}/cockpit/cockpit-pcp Px, @{lib}/cockpit/cockpit-ssh Px, + @{bin}/virsh rPUx, # The shell is not confined on purpose. @{bin}/@{shells} Ux, - /usr/share/cockpit/{,**} r, /usr/{,local/}share/ r, + /usr/share/cockpit/{,**} r, + /usr/share/iproute2/* r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, @@ -59,6 +70,8 @@ profile cockpit-bridge @{exec_path} { /etc/shadow r, /etc/shells r, + / r, + owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw, owner @{user_share_dirs}/ r, @@ -66,6 +79,7 @@ profile cockpit-bridge @{exec_path} { @{run}/utmp r, @{sys}/class/hwmon/ r, + @{sys}/class/net/ r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/fs/cgroup/ r, @@ -89,6 +103,13 @@ profile cockpit-bridge @{exec_path} { /dev/ptmx rw, + profile udevadm { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 74ddd9e7..fda673c6 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, + @{run}/cockpit/active.motd r, + @{run}/cockpit/inactive.motd r, @{run}/faillock/@{user} rwk, + @{run}/motd.d/{,*} r, @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, - @{run}/motd.d/{,*} r, - @{run}/cockpit/active.motd r, /var/log/btmp rw, /var/log/lastlog rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 3fbbfc51..a755c167 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -68,6 +68,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{profile_name}, ptrace (read,trace) peer=dnsmasq, + ptrace (read,trace) peer=gnome-boxes, ptrace (read,trace) peer=libvirt-@{uuid}, ptrace (read,trace) peer=libvirt-dbus, ptrace (read,trace) peer=unconfined, @@ -93,15 +94,14 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/libvirt/libvirt_iohelper rix, @{lib}/libvirt/libvirt_parthelper rix, + @{lib}/{,qemu/}qemu-bridge-helper rPx, + @{lib}/{,qemu/}vhost-user-gpu rPUx, + @{lib}/{,qemu/}virtiofsd rux, # TODO: WIP @{lib}/udev/scsi_id rPUx, @{lib}/xen-*/bin/libxl-save-helper rPUx, @{lib}/xen-*/bin/pygrub rPUx, @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu rPUx, - /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd rux, # TODO: WIP - - /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, @{bin}/dmidecode rPx, @{bin}/dnsmasq rPx, diff --git a/apparmor.d/groups/virt/qemu-bridge-helper b/apparmor.d/groups/virt/qemu-bridge-helper new file mode 100644 index 00000000..a814dd26 --- /dev/null +++ b/apparmor.d/groups/virt/qemu-bridge-helper @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{,qemu/}qemu-bridge-helper +profile qemu-bridge-helper @{exec_path} { + include + + capability net_admin, + capability setpcap, + + network inet stream, + + unix (send, receive) type=stream addr=none peer=(label=libvirtd), + + signal receive set=term peer=libvirtd, + + @{exec_path} mr, + + /etc/qemu/bridge.conf r, + + @{sys}/devices/system/node/ r, + + owner @{PROC}/@{pids}/status r, + + /dev/net/tun rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 2c0eb2fa..47450b8e 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -92,9 +92,6 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/*/ rw, owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**, - owner @{tmp}/** rwkl -> /tmp/**, - owner @{tmp}/**/bin/* rCx -> exec, - owner @{HOME}/.gitconfig* rw, owner @{HOME}/.netrc r, owner @{user_config_dirs}/git/{,*} rw, diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index bdac4d92..9222fbbb 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -39,8 +39,6 @@ profile smartd @{exec_path} { /var/lib/smartmontools/smartd.*.state{,~} rw, /var/lib/smartmontools/attrlog.*.csv rw, - /tmp/tmp.* rw, - @{run}/systemd/notify rw, @{sys}/class/scsi_host/ r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index c1bd7fbd..fbfcaf7b 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -61,15 +61,15 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/libnl/classid r, - owner @{HOME}/ r, - owner @{user_cache_dirs}/virt-manager/{,**} rw, + # System VM images + /var/lib/libvirt/images/{,**} rw, # For disk images @{MOUNTS}/ r, @{user_img_dirs}/{,**} r, - # System VM images - /var/lib/libvirt/images/{,**} rw, + owner @{HOME}/ r, + owner @{user_cache_dirs}/virt-manager/{,**} rw, # User VM images owner @{user_share_dirs}/ r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index f37e7f99..53782aa9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -279,6 +279,7 @@ plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted qdbus complain +qemu-bridge-helper complain realmd complain remmina complain run-parts complain @@ -369,7 +370,6 @@ systemd-userwork attach_disconnected,complain systemsettings complain totem attach_disconnected,complain tracker-writeback complain -transmission complain udev-dmi-memory-id complain udisksctl complain udisksd attach_disconnected,complain