update apparmor profiles

This commit is contained in:
Mikhail Morfikov 2020-09-27 22:26:01 +02:00
parent b29f579865
commit b9343c50c2
Failed to generate hash of commit
8 changed files with 118 additions and 6 deletions

View file

@ -32,6 +32,8 @@ profile dh @{exec_path} flags=(complain) {
/{usr/,}bin/rm rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/dpkg-vendor rPx,
/usr/share/python/pyversions.py rCx -> python,
/usr/share/python3/py3versions.py rCx -> python,
/usr/share/dh-python/* rCx -> python,

View file

@ -85,6 +85,9 @@ profile dhclient-script @{exec_path} {
/{usr/,}bin/printenv rix,
owner /tmp/variables.txt w,
# For ntpd/ntpsec
/{var/,}run/systemd/netif/leases/ r,
# file_inherit
/var/lib/dhcp/dhclient.leases r,

View file

@ -58,8 +58,8 @@ profile firefox @{exec_path} {
@{MOZ_LIBDIR}/*.so mr,
@{MOZ_LIBDIR}/crashreporter rPx,
@{MOZ_LIBDIR}/minidump-analyzer rPx,
@{MOZ_LIBDIR}/pingsender rPx,
@{MOZ_LIBDIR}/plugin-container rPx,
#@{MOZ_LIBDIR}/pingsender rPx,
#@{MOZ_LIBDIR}/plugin-container rPx,
/usr/share/firefox/{,**} r,
/etc/firefox/{,**} r,

View file

@ -52,6 +52,7 @@ profile lintian @{exec_path} flags=(complain) {
/{usr/,}bin/gunzip rix,
/{usr/,}bin/filterdiff rix,
/{usr/,}bin/lexgrog rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/{,@{multiarch}-}ar rix,
/{usr/,}bin/{,@{multiarch}-}readelf rix,

View file

@ -73,6 +73,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so mr,
owner @{torbrowser_home_dir}/TorBrowser/Tor/libstdc++/*.so.* mr,
# parent Firefox process when restarting after upgrade, Web Content processes
owner @{torbrowser_firefox_executable} pxmr -> torbrowser_firefox,

15
apparmor.d/tunables/ntpd Normal file
View file

@ -0,0 +1,15 @@
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2011 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#Add your ntpd devices here eg. if you have a DCF clock
# @{NTPD_DEVICE}="/dev/ttyS1"
@{NTPD_DEVICE}="/dev/null"

View file

@ -41,10 +41,8 @@ profile update-pciids @{exec_path} {
/{usr/,}bin/curl rCx -> browse,
/{usr/,}bin/lynx rCx -> browse,
/usr/share/misc/ r,
/usr/share/misc/pci.ids* rw,
link /usr/share/misc/pci.ids.gz.old -> /usr/share/misc/pci.ids.gz,
link /usr/share/misc/pci.ids.old -> /usr/share/misc/pci.ids,
/usr/share/misc/ r,
/usr/share/misc/* rwl -> /usr/share/misc/*,
profile browse {

91
apparmor.d/usr.sbin.ntpd Normal file
View file

@ -0,0 +1,91 @@
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com>
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/openssl>
capability ipc_lock,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
capability sys_time,
capability sys_nice,
# Needed to create logs
#capability dac_override,
# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
network dgram,
network stream,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{NTPD_DEVICE} rw,
# pps devices are almost exclusively used with NTP
/dev/pps[0-9]* rw,
/{,s}bin/ r,
/usr/{,s}bin/ r,
/usr/local/{,s}bin/ r,
/usr/sbin/ntpd rmix,
/etc/ntpsec/ntp.conf r,
/etc/ntpsec/ntp.d/ r,
/etc/ntpsec/ntp.d/*.conf r,
/run/ntpsec/ntp.conf.dhcp r,
/etc/ntpsec/cert-chain.pem r,
/etc/ntpsec/key.pem r,
/etc/ntpsec/ntp.keys r,
/var/lib/ntpsec/ntp.drift rw,
/var/lib/ntpsec/ntp.drift-tmp rw,
/var/lib/ntpsec/nts-keys rw,
/usr/share/zoneinfo/leap-seconds.list rw,
/var/log/ntp w,
/var/log/ntp.log w,
/var/log/ntpd w,
/var/log/ntpsec/clockstats* rwl,
/var/log/ntpsec/loopstats* rwl,
/var/log/ntpsec/peerstats* rwl,
/var/log/ntpsec/protostats* rwl,
/var/log/ntpsec/rawstats* rwl,
/var/log/ntpsec/sysstats* rwl,
/var/log/ntpsec/usestats.* rwl,
/{,var/}run/ntpd.pid w,
# to be able to check for running ntpdate
/run/lock/ntpsec-ntpdate wk,
# To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
/var/lib/samba/ntp_signd/socket rw,
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
# for details. To enable, add this to local/usr.sbin.ntpd:
# capability ipc_owner,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.ntpd>
}