From b9fb4b72d2144d168a6ad30fb52630a0c9118349 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Sep 2023 12:41:47 +0100 Subject: [PATCH] fix: minor profiles fixes. --- apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/profiles-a-f/aa-enforce | 2 +- apparmor.d/profiles-a-f/adduser | 5 +++-- apparmor.d/profiles-s-z/snap | 1 + dists/flags/main.flags | 7 ++++--- 6 files changed, 11 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 315306ff..f3aa69db 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -31,7 +31,7 @@ profile systemd-journald @{exec_path} { @{run}/log/ rw, /{run,var}/log/journal/ rw, /{run,var}/log/journal/@{md5}/ rw, - /{run,var}/log/journal/@{md5}/* rw -> /{run,var}/log/journal/@{md5}/#@{int}, + /{run,var}/log/journal/@{md5}/* rwl -> /{run,var}/log/journal/@{md5}/#@{int}, owner @{run}/systemd/journal/{,**} rw, owner @{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index bf9400da..2babbc19 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -119,7 +119,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { deny /apparmor/.null rw, - profile systemctl { + profile systemctl flags=(attach_disconnected,complain) { include include diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce index 32a25ef1..8e83405e 100644 --- a/apparmor.d/profiles-a-f/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -19,7 +19,7 @@ profile aa-enforce @{exec_path} { @{bin}/ r, @{bin}/apparmor_parser rPx, - /usr/share/terminfo/x/* r, + /usr/share/terminfo/{,**} r, /etc/apparmor/logprof.conf r, /etc/apparmor.d/{,**} rw, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 3c6006dd..149d3877 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -42,12 +43,12 @@ profile adduser @{exec_path} { /etc/adduser.conf r, /etc/skel/{,.*} r, - @{run}/adduser wk, - # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, @{HOME}/.* w, /var/lib/*/{,*} rw, + @{run}/adduser wk, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 3a4d3af5..3b510c1b 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -102,6 +102,7 @@ profile snap @{exec_path} { owner @{HOME}/.snap/gnupg/ rw, owner @{HOME}/.snap/gnupg/** rwkl, + include if exists } include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 14a67e81..427d7783 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -36,8 +36,8 @@ busctl complain cc-remote-login-helper complain cfdisk complain cgdisk complain -chpasswd complain child-open complain +chpasswd complain chronyd attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain @@ -198,7 +198,7 @@ mke2fs complain ModemManager attach_disconnected,complain molly-guard complain mount attach_disconnected,complain -multipath complain +multipath attach_disconnected,complain multipathd complain mutter-x11-frames complain nautilus complain @@ -292,10 +292,11 @@ systemd-random-seed complain systemd-remount-fs complain systemd-resolve complain systemd-resolved attach_disconnected,complain -systemd-sleep complain systemd-shutdown complain +systemd-sleep complain systemd-timedated attach_disconnected,complain systemd-tty-ask-password-agent complain +systemd-udevd attach_disconnected,complain systemd-update-done complain systemd-update-utmp complain systemd-user-generators-autostart complain