From b4f7ed185cb3ea26dc4d6fea9ab37d379aa85645 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Wed, 1 Jun 2022 17:50:05 +0000 Subject: [PATCH] More `consoles` requirement after `sshd` introduction (#44) * consoles requirement after sshd introduction * one more --- apparmor.d/profiles-g-l/groups | 1 + apparmor.d/profiles-g-l/last | 4 ++++ apparmor.d/profiles-g-l/lastlog | 3 +++ apparmor.d/profiles-g-l/lscpu | 1 + apparmor.d/profiles-m-r/passwd | 1 + apparmor.d/profiles-s-z/top | 1 + apparmor.d/profiles-s-z/uptime | 1 + apparmor.d/profiles-s-z/usb-devices | 4 ++++ apparmor.d/profiles-s-z/w | 1 + 9 files changed, 17 insertions(+) diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups index e4da11c1..b7c74d74 100644 --- a/apparmor.d/profiles-g-l/groups +++ b/apparmor.d/profiles-g-l/groups @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/groups profile groups @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last index 04926ce2..3ddb573b 100644 --- a/apparmor.d/profiles-g-l/last +++ b/apparmor.d/profiles-g-l/last @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/last{,b} profile last @{exec_path} { include + include include include @@ -21,5 +22,8 @@ profile last @{exec_path} { @{PROC}/@{pids}/loginuid r, + /var/log/wtmp r, + /var/log/btmp{,.[0-9]*} r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index bf32a379..f1534002 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/lastlog profile lastlog @{exec_path} { include + include include network netlink raw, @@ -18,5 +19,7 @@ profile lastlog @{exec_path} { /var/log/lastlog r, /etc/login.defs r, + @{run}/systemd/userdb/io.systemd.DynamicUser w, + include if exists } diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index 48f0532d..16dee098 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/lscpu profile lscpu @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd index 44e9dea5..9b9663e3 100644 --- a/apparmor.d/profiles-m-r/passwd +++ b/apparmor.d/profiles-m-r/passwd @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/passwd profile passwd @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top index d31f30dd..0b403aed 100644 --- a/apparmor.d/profiles-s-z/top +++ b/apparmor.d/profiles-s-z/top @@ -11,6 +11,7 @@ include @{exec_path} = /{usr/,}bin/top profile top @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime index 2ce034b7..32e1915a 100644 --- a/apparmor.d/profiles-s-z/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/uptime profile uptime @{exec_path} { include + include include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices index 7b12a972..271ebfb9 100644 --- a/apparmor.d/profiles-s-z/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -9,8 +9,12 @@ include @{exec_path} = /{usr/,}bin/usb-devices profile usb-devices @{exec_path} { include + include include + capability dac_read_search, + deny capability dac_override, + @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 230c7d65..9c12e5cf 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -10,6 +10,7 @@ include @{exec_path} = /{usr/,}bin/w profile w @{exec_path} { include + include include include