feat(profile): modernise the crontab profile.

fix #428
2025-01-31 07:17:22 +01:00 · 2024-08-28 19:19:21 +01:00 · 2024-08-28 19:19:21 +01:00 · bb1c4e0537
commit bb1c4e0537
parent 09aef5131e
4 changed files with 19 additions and 7 deletions
--- a/apparmor.d/abstractions/app/editor
+++ b/apparmor.d/abstractions/app/editor
@ -1,16 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only

  include <abstractions/nameservice-strict>

+  @{sh_path}                   rix,
+  @{bin}/nvim                 mrix,
  @{bin}/sensible-editor        mr,
  @{bin}/vim{,.*}             mrix,
-  @{sh_path}                   rix,
  @{bin}/which{,.debianutils}  rix,

-  /usr/share/vim/{,**} r,
+  /usr/share/nvim/{,**} r,
  /usr/share/terminfo/** r,
+  /usr/share/vim/{,**} r,

  /etc/vimrc r,
  /etc/vim/{,**} r,
@ -19,11 +22,11 @@
  owner @{HOME}/.viminf@{c}{,.tmp} rw,
  owner @{HOME}/.vimrc r,

-  # Vim swap file 
  owner @{HOME}/ r,
  owner @{user_cache_dirs}/ r,
  owner @{user_cache_dirs}/vim/{,**} rw,
  owner @{user_config_dirs}/vim/{,**} r,
+  owner @{user_state_dirs}/nvim/{,**} rw,

  include if exists <abstractions/app/editor.d>

--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -10,9 +10,12 @@ include <tunables/global>
@{exec_path} = @{bin}/crontab
 profile crontab @{exec_path} {
  include <abstractions/base>
+  include <abstractions/authentication>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

+  capability dac_read_search,
+  capability net_admin,
  capability setgid,
  capability setuid,

@ -23,15 +26,17 @@ profile crontab @{exec_path} {
  # When editing the crontab file
  @{bin}/sensible-editor rCx -> editor,
  @{bin}/vim.*           rCx -> editor,
+  @{bin}/nvim            rCx -> editor,

  /etc/cron.{allow,deny} r,
  /etc/pam.d/* r,

        /var/spool/cron/ r,
        /var/spool/cron/crontabs/ rw,
+        /var/spool/cron/user r,
  owner /var/spool/cron/crontabs/* rw,

-  owner @{tmp}/crontab.*/{,crontab} rw,
+  owner @{tmp}/crontab.@{rand6}/{,crontab} rw,

  profile editor {
    include <abstractions/base>
@ -42,7 +47,8 @@ profile crontab @{exec_path} {
    /etc/cron.{allow,deny} r,

          /tmp/ r,
-    owner @{tmp}/crontab.*/crontab rw,
+    owner @{tmp}/crontab.@{rand6}/crontab rw,
+    owner @{tmp}/crontab.@{rand6} rw,

    include if exists <local/crontab_editor>
  }
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@ -35,6 +35,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain

  ptrace (read) peer=flatpak-app,

+  signal send peer=flatpak-app,
+
  @{exec_path} mr,

  @{bin}/bwrap               rPx -> flatpak-app,
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@ -44,8 +44,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
  ptrace (read),
  ptrace trace peer=flatpak-app,

-  signal (receive) set=(int term) peer=flatpak-portal,
-  signal (receive) set=(int) peer=flatpak-session-helper,
+  signal receive peer=flatpak,
+  signal receive set=(int term) peer=flatpak-portal,
+  signal receive set=(int) peer=flatpak-session-helper,

  @{bin}/**                            rmix,
  @{lib}/**                            rmix,