diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 88811874..067a238e 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apt +@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get profile apt @{exec_path} flags=(attach_disconnected) { include include @@ -33,19 +33,21 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/test rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/ps rPx, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/apt-listbugs rPx, - /{usr/,}bin/apt-listchanges rPx, - /{usr/,}bin/apt-show-versions rPx, - /{usr/,}sbin/dpkg-preconfigure rPx, - /{usr/,}bin/debtags rPx, - /{usr/,}sbin/localepurge rPx, - /{usr/,}bin/appstreamcli rPx, - /{usr/,}bin/adequate rPx, - /{usr/,}sbin/update-command-not-found rPx, - /usr/share/command-not-found/cnf-update-db rPx, - /{usr/,}bin/dpkg-source rcx -> dpkg-source, + /{usr/,}{s,}bin/dpkg-preconfigure rPx, + /{usr/,}{s,}bin/localepurge rPx, + /{usr/,}{s,}bin/update-command-not-found rPx, + /{usr/,}bin/adequate rPx, + /{usr/,}bin/appstreamcli rPx, + /{usr/,}bin/apt-listbugs rPx, + /{usr/,}bin/apt-listchanges rPx, + /{usr/,}bin/apt-show-versions rPx, + /{usr/,}bin/debtags rPx, + /{usr/,}bin/dpkg rPx, + /{usr/,}bin/dpkg-source rcx -> dpkg-source, + /{usr/,}bin/etckeeper rPx, + /{usr/,}bin/ps rPx, + /{usr/,}lib/needrestart/apt-pinvoke rPx, + /usr/share/command-not-found/cnf-update-db rPx, # Methods to use to download packages from the net /{usr/,}lib/apt/methods/* rPx, @@ -57,11 +59,20 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/log/apt/eipp.log.xz w, /var/log/apt/{term,history}.log w, + # For building the source after the download process is finished (apt-get source --compile) + /{usr/,}bin/dpkg-buildpackage rPUx, + # For editing the sources.list file /etc/apt/sources.list rwk, /{usr/,}bin/sensible-editor rCx -> editor, /{usr/,}bin/vim.* rCx -> editor, + # For changelogs + /tmp/apt-changelog-*/ w, + owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, + /tmp/apt-changelog-*/*.changelog w, + /{usr/,}bin/sensible-pager rCx -> pager, + /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, @@ -108,6 +119,29 @@ profile apt @{exec_path} flags=(attach_disconnected) { } + profile pager { + include + include + + capability dac_read_search, + + /{usr/,}bin/ r, + /{usr/,}bin/sensible-pager mr, + /{usr/,}bin/{,ba,da}sh rix, + + /{usr/,}bin/which{,.debianutils} rix, + /{usr/,}bin/less rix, + + owner @{HOME}/.less* rw, + + owner /tmp/apt-changelog-*/ r, + owner /tmp/apt-changelog-*/*.changelog r, + + # For shell pwd + /root/ r, + + } + profile dpkg-source flags=(complain) { include include diff --git a/apparmor.d/groups/apt/apt-get b/apparmor.d/groups/apt/apt-get deleted file mode 100644 index 22fbbe35..00000000 --- a/apparmor.d/groups/apt/apt-get +++ /dev/null @@ -1,146 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{usr/,}bin/apt-get -profile apt-get @{exec_path} flags=(complain) { - include - include - include - include - - capability chown, - capability dac_override, - capability dac_read_search, - capability fowner, - capability fsetid, - capability kill, - capability net_admin, - capability setgid, - capability setuid, - - signal (send) peer=apt-methods-*, - - @{exec_path} mr, - - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/test rix, - /{usr/,}bin/{,e}grep rix, - - /{usr/,}bin/ps rPx, - /{usr/,}bin/dpkg rPx, - /{usr/,}bin/apt-listbugs rPx, - /{usr/,}bin/apt-listchanges rPx, - /{usr/,}bin/apt-show-versions rPx, - /{usr/,}sbin/dpkg-preconfigure rPx, - /{usr/,}bin/debtags rPx, - /{usr/,}sbin/localepurge rPx, - /{usr/,}bin/appstreamcli rPx, - /{usr/,}bin/adequate rPx, - /{usr/,}sbin/update-command-not-found rPx, - /usr/share/command-not-found/cnf-update-db rPx, - /{usr/,}bin/dpkg-source rcx -> dpkg-source, - - # Methods to use to download packages from the net - /{usr/,}lib/apt/methods/* rPx, - - /var/lib/apt/lists/** rw, - /var/lib/apt/lists/lock rwk, - /var/lib/apt/extended_states{,.*} rw, - - /var/log/apt/eipp.log.xz w, - /var/log/apt/{term,history}.log w, - - # For building the source after the download process is finished (apt-get source --compile) - # (#FIXME#) - /{usr/,}bin/dpkg-buildpackage rPUx, - - # For changelogs - /tmp/apt-changelog-*/ w, - owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw, - /tmp/apt-changelog-*/*.changelog w, - /{usr/,}bin/sensible-pager rCx -> pager, - - /var/lib/dpkg/** r, - /var/lib/dpkg/lock{,-frontend} rwk, - - owner @{PROC}/@{pid}/fd/ r, - - /dev/ptmx rw, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - /tmp/ r, - owner /tmp/apt-tmp-index.* rw, - owner /tmp/apt-dpkg-install-*/ rw, - owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w, - - /var/cache/apt/ r, - /var/cache/apt/** rwk, - - # For package building - @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - - # file_inherit - owner /var/log/cron-apt/temp w, - - - profile pager { - include - include - - capability dac_read_search, - - /{usr/,}bin/ r, - /{usr/,}bin/sensible-pager mr, - /{usr/,}bin/{,ba,da}sh rix, - - /{usr/,}bin/which{,.debianutils} rix, - /{usr/,}bin/less rix, - - owner @{HOME}/.less* rw, - - owner /tmp/apt-changelog-*/ r, - owner /tmp/apt-changelog-*/*.changelog r, - - # For shell pwd - /root/ r, - - } - - profile dpkg-source flags=(complain) { - include - include - include - - /{usr/,}bin/dpkg-source mr, - /{usr/,}bin/perl r, - - /{usr/,}bin/tar rix, - /{usr/,}bin/bunzip2 rix, - /{usr/,}bin/gunzip rix, - /{usr/,}bin/gzip rix, - /{usr/,}bin/xz rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/chmod rix, - - /{usr/,}bin/patch rix, - - /etc/dpkg/origins/debian r, - - owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - owner @{HOME}/** rwkl -> @{HOME}/**, - audit deny owner @{HOME}/.* mrwkl, - audit deny owner @{HOME}/.*/ rw, - audit deny owner @{HOME}/.*/** mrwkl, - - } - - include if exists -}