From b9343c50c2c47c48702c2a3593b3399dbc133dba Mon Sep 17 00:00:00 2001 From: Mikhail Morfikov Date: Sun, 27 Sep 2020 22:26:01 +0200 Subject: [PATCH] update apparmor profiles --- apparmor.d/dh | 2 + apparmor.d/dhclient-script | 3 + apparmor.d/firefox | 4 +- apparmor.d/lintian | 1 + apparmor.d/torbrowser.Browser.firefox | 2 + apparmor.d/tunables/ntpd | 15 +++++ apparmor.d/update-pciids | 6 +- apparmor.d/usr.sbin.ntpd | 91 +++++++++++++++++++++++++++ 8 files changed, 118 insertions(+), 6 deletions(-) create mode 100644 apparmor.d/tunables/ntpd create mode 100644 apparmor.d/usr.sbin.ntpd diff --git a/apparmor.d/dh b/apparmor.d/dh index 20db1559..752150ca 100644 --- a/apparmor.d/dh +++ b/apparmor.d/dh @@ -32,6 +32,8 @@ profile dh @{exec_path} flags=(complain) { /{usr/,}bin/rm rix, /{usr/,}bin/mkdir rix, + /{usr/,}bin/dpkg-vendor rPx, + /usr/share/python/pyversions.py rCx -> python, /usr/share/python3/py3versions.py rCx -> python, /usr/share/dh-python/* rCx -> python, diff --git a/apparmor.d/dhclient-script b/apparmor.d/dhclient-script index 3497a24d..b2ce161d 100644 --- a/apparmor.d/dhclient-script +++ b/apparmor.d/dhclient-script @@ -85,6 +85,9 @@ profile dhclient-script @{exec_path} { /{usr/,}bin/printenv rix, owner /tmp/variables.txt w, + # For ntpd/ntpsec + /{var/,}run/systemd/netif/leases/ r, + # file_inherit /var/lib/dhcp/dhclient.leases r, diff --git a/apparmor.d/firefox b/apparmor.d/firefox index 54d45a7a..3c5db6e5 100644 --- a/apparmor.d/firefox +++ b/apparmor.d/firefox @@ -58,8 +58,8 @@ profile firefox @{exec_path} { @{MOZ_LIBDIR}/*.so mr, @{MOZ_LIBDIR}/crashreporter rPx, @{MOZ_LIBDIR}/minidump-analyzer rPx, - @{MOZ_LIBDIR}/pingsender rPx, - @{MOZ_LIBDIR}/plugin-container rPx, + #@{MOZ_LIBDIR}/pingsender rPx, + #@{MOZ_LIBDIR}/plugin-container rPx, /usr/share/firefox/{,**} r, /etc/firefox/{,**} r, diff --git a/apparmor.d/lintian b/apparmor.d/lintian index 1107c6bf..d7005909 100644 --- a/apparmor.d/lintian +++ b/apparmor.d/lintian @@ -52,6 +52,7 @@ profile lintian @{exec_path} flags=(complain) { /{usr/,}bin/gunzip rix, /{usr/,}bin/filterdiff rix, /{usr/,}bin/lexgrog rix, + /{usr/,}bin/mv rix, /{usr/,}bin/{,@{multiarch}-}ar rix, /{usr/,}bin/{,@{multiarch}-}readelf rix, diff --git a/apparmor.d/torbrowser.Browser.firefox b/apparmor.d/torbrowser.Browser.firefox index 4363cdfa..57c03594 100644 --- a/apparmor.d/torbrowser.Browser.firefox +++ b/apparmor.d/torbrowser.Browser.firefox @@ -73,6 +73,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} { owner @{torbrowser_home_dir}/TorBrowser/Tor/ r, owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr, owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr, + owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so mr, + owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so.* mr, # parent Firefox process when restarting after upgrade, Web Content processes owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox, diff --git a/apparmor.d/tunables/ntpd b/apparmor.d/tunables/ntpd new file mode 100644 index 00000000..1fc2d8fa --- /dev/null +++ b/apparmor.d/tunables/ntpd @@ -0,0 +1,15 @@ +# vim:syntax=apparmor +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2011 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#Add your ntpd devices here eg. if you have a DCF clock +# @{NTPD_DEVICE}="/dev/ttyS1" +@{NTPD_DEVICE}="/dev/null" diff --git a/apparmor.d/update-pciids b/apparmor.d/update-pciids index 0c1e4136..65f0898f 100644 --- a/apparmor.d/update-pciids +++ b/apparmor.d/update-pciids @@ -41,10 +41,8 @@ profile update-pciids @{exec_path} { /{usr/,}bin/curl rCx -> browse, /{usr/,}bin/lynx rCx -> browse, - /usr/share/misc/ r, - /usr/share/misc/pci.ids* rw, - link /usr/share/misc/pci.ids.gz.old -> /usr/share/misc/pci.ids.gz, - link /usr/share/misc/pci.ids.old -> /usr/share/misc/pci.ids, + /usr/share/misc/ r, + /usr/share/misc/* rwl -> /usr/share/misc/*, profile browse { diff --git a/apparmor.d/usr.sbin.ntpd b/apparmor.d/usr.sbin.ntpd new file mode 100644 index 00000000..e8225d7d --- /dev/null +++ b/apparmor.d/usr.sbin.ntpd @@ -0,0 +1,91 @@ +# vim:syntax=apparmor +# Updated for Ubuntu by: Jamie Strandboge +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2009-2012 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include +#include +/usr/sbin/ntpd flags=(attach_disconnected) { + #include + #include + #include + #include + + capability ipc_lock, + capability net_admin, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + capability sys_time, + capability sys_nice, + + # Needed to create logs + #capability dac_override, + + # ntp uses AF_INET, AF_INET6 and AF_UNSPEC + network dgram, + network stream, + + @{PROC}/net/if_inet6 r, + @{PROC}/*/net/if_inet6 r, + @{NTPD_DEVICE} rw, + # pps devices are almost exclusively used with NTP + /dev/pps[0-9]* rw, + + /{,s}bin/ r, + /usr/{,s}bin/ r, + /usr/local/{,s}bin/ r, + /usr/sbin/ntpd rmix, + + /etc/ntpsec/ntp.conf r, + /etc/ntpsec/ntp.d/ r, + /etc/ntpsec/ntp.d/*.conf r, + /run/ntpsec/ntp.conf.dhcp r, + + /etc/ntpsec/cert-chain.pem r, + /etc/ntpsec/key.pem r, + /etc/ntpsec/ntp.keys r, + + /var/lib/ntpsec/ntp.drift rw, + /var/lib/ntpsec/ntp.drift-tmp rw, + /var/lib/ntpsec/nts-keys rw, + /usr/share/zoneinfo/leap-seconds.list rw, + + /var/log/ntp w, + /var/log/ntp.log w, + /var/log/ntpd w, + /var/log/ntpsec/clockstats* rwl, + /var/log/ntpsec/loopstats* rwl, + /var/log/ntpsec/peerstats* rwl, + /var/log/ntpsec/protostats* rwl, + /var/log/ntpsec/rawstats* rwl, + /var/log/ntpsec/sysstats* rwl, + /var/log/ntpsec/usestats.* rwl, + + /{,var/}run/ntpd.pid w, + + # to be able to check for running ntpdate + /run/lock/ntpsec-ntpdate wk, + + # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba + /var/lib/samba/ntp_signd/socket rw, + + # For use with clocks that report via shared memory (e.g. gpsd), + # you may need to give ntpd access to all of shared memory, though + # this can be considered dangerous. See https://launchpad.net/bugs/722815 + # for details. To enable, add this to local/usr.sbin.ntpd: + # capability ipc_owner, + + # Site-specific additions and overrides. See local/README for details. + #include +}