diff --git a/apparmor.d/groups/ubuntu/notify-updates-outdated b/apparmor.d/groups/ubuntu/notify-updates-outdated new file mode 100644 index 00000000..e04b02fe --- /dev/null +++ b/apparmor.d/groups/ubuntu/notify-updates-outdated @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/update-notifier/notify-updates-outdated +profile notify-updates-outdated @{exec_path} { + include + include + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/gettext rix, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/pro b/apparmor.d/groups/ubuntu/pro new file mode 100644 index 00000000..52cfe5b6 --- /dev/null +++ b/apparmor.d/groups/ubuntu/pro @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/pro +profile pro @{exec_path} { + include + include + include + + @{exec_path} mr, + + include if exists +} \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index ba28472e..842e50a3 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -65,6 +65,7 @@ profile software-properties-gtk @{exec_path} { /var/crash/*software-properties-gtk.@{uid}.crash rw, /var/lib/snapd/desktop/icons/ r, + /var/lib/ubuntu-advantage/status.json r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 65109130..d54a4bc4 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -10,10 +10,15 @@ include profile ubuntu-advantage @{exec_path} { include include + include include + include include include - include + + capability dac_read_search, + capability setgid, + capability setuid, network inet stream, network inet6 stream, @@ -21,30 +26,69 @@ profile ubuntu-advantage @{exec_path} { network inet6 dgram, network netlink raw, + signal (send) set=int peer=apt-methods-http, + @{exec_path} mr, - /{usr/,}bin/ischroot rix, + /{usr/,}bin/ischroot rix, + /{usr/,}bin/apt rPx, /{usr/,}bin/apt-cache rPx, + /{usr/,}bin/apt-config rPx, /{usr/,}bin/apt-get rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/ps rPx, /{usr/,}bin/snap rPx, - /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/systemctl rCx -> systemctl, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/ubuntu-distro-info rPx, /{usr/,}lib/apt/apt-helper rix, /{usr/,}lib/apt/methods/http{,s} rPx, /{usr/,}lib/ubuntu-advantage/apt-esm-hook rPx, - /{usr/,}bin/systemd-detect-virt rPx, + /etc/apt/auth.conf.d/{,**} rw, + /etc/apt/trusted.gpg.d/{,**} rw, + /etc/apt/sources.list.d/{,**} rw, /etc/ubuntu-advantage/{,**} r, - /var/lib/ubuntu-advantage/{,**} r, + /var/lib/ubuntu-advantage/{,**} rw, + + /etc/machine-id r, owner /tmp/tmp[0-9a-z]*/apt.conf r, - + owner /tmp/[0-9a-z]*{,/} rw, + owner /tmp/[0-9a-z]*/apt-helper-output rw, + @{run}/ubuntu-advantage/{,**} rw, @{PROC}/version_signature r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/mounts r, owner @{PROC}/@{pid}/fd/ r, + profile systemctl { + include + + capability sys_resource, + + ptrace (read), + + /{usr/,}bin/systemctl mr, + + /{usr/,}bin/systemd-tty-ask-password-agent rix, + + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/* rw, + + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, + + /dev/kmsg w, + + } + include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon index f824f725..73088ebe 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon @@ -19,7 +19,7 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected) member=RequestName peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Service/*} + dbus receive bus=system path=/com/canonical/UbuntuAdvantage/{Manager,Services/*} interface=org.freedesktop.DBus.Introspectable member=Introspect, diff --git a/apparmor.d/groups/ubuntu/ubuntu-distro-info b/apparmor.d/groups/ubuntu/ubuntu-distro-info new file mode 100644 index 00000000..7f390480 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-distro-info @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/ubuntu-distro-info +profile ubuntu-distro-info @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/distro-info/*.csv r, + + include if exists +} \ No newline at end of file