More consoles requirement after sshd introduction (#44)

* consoles requirement after sshd introduction * one more
2025-01-29 22:35:15 +01:00 · 2022-06-01 17:50:05 +00:00 · 2022-06-01 17:50:05 +00:00 · b4f7ed185c
commit b4f7ed185c
parent e2b7f6594c
9 changed files with 17 additions and 0 deletions
--- a/apparmor.d/profiles-g-l/groups
+++ b/apparmor.d/profiles-g-l/groups
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/groups
 profile groups @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  @{exec_path} mr,
--- a/apparmor.d/profiles-g-l/last
+++ b/apparmor.d/profiles-g-l/last
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/last{,b}
 profile last @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>

@ -21,5 +22,8 @@ profile last @{exec_path} {

  @{PROC}/@{pids}/loginuid r,

+  /var/log/wtmp r,
+  /var/log/btmp{,.[0-9]*} r,
+
  include if exists <local/last>
 }
--- a/apparmor.d/profiles-g-l/lastlog
+++ b/apparmor.d/profiles-g-l/lastlog
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/lastlog
 profile lastlog @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  network netlink raw,
@ -18,5 +19,7 @@ profile lastlog @{exec_path} {
  /var/log/lastlog r,
  /etc/login.defs r,

+  @{run}/systemd/userdb/io.systemd.DynamicUser w,
+
  include if exists <local/lastlog>
 }
--- a/apparmor.d/profiles-g-l/lscpu
+++ b/apparmor.d/profiles-g-l/lscpu
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/lscpu
 profile lscpu @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  @{exec_path} mr,

--- a/apparmor.d/profiles-m-r/passwd
+++ b/apparmor.d/profiles-m-r/passwd
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/passwd
 profile passwd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/authentication>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
--- a/apparmor.d/profiles-s-z/top
+++ b/apparmor.d/profiles-s-z/top
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/top
 profile top @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/wutmp>
  include <abstractions/nameservice-strict>

--- a/apparmor.d/profiles-s-z/uptime
+++ b/apparmor.d/profiles-s-z/uptime
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/uptime
 profile uptime @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/wutmp>

  @{exec_path} mr,
--- a/apparmor.d/profiles-s-z/usb-devices
+++ b/apparmor.d/profiles-s-z/usb-devices
@ -9,8 +9,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/usb-devices
 profile usb-devices @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/devices-usb>

+       capability dac_read_search,
+  deny capability dac_override,
+
  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,

--- a/apparmor.d/profiles-s-z/w
+++ b/apparmor.d/profiles-s-z/w
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/w
 profile w @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>