diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index ec356306..143a6ea7 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -20,8 +20,7 @@ @{sys}/devices/@{pci}/host@{int}/** r, @{sys}/devices/@{pci}/usb@{int}/** r, @{sys}/devices/@{pci}/virtio@{int}/** r, - @{sys}/devices/**/host@{int}/**/block/{s,v}d[a-z]/ r, - @{sys}/devices/**/host@{int}/**/block/{s,v}d[a-z]/** r, + @{sys}/devices/**/host@{int}/** r, # SSD Nvme devices /dev/nvme[0-9]* rk, diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index 8bf33882..9d708ae5 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -20,8 +20,7 @@ @{sys}/devices/@{pci}/host@{int}/** r, @{sys}/devices/@{pci}/usb@{int}/** r, @{sys}/devices/@{pci}/virtio@{int}/** r, - @{sys}/devices/**/host@{int}/**/block/{s,v}d[a-z]/ r, - @{sys}/devices/**/host@{int}/**/block/{s,v}d[a-z]/** r, + @{sys}/devices/**/host@{int}/** r, # SSD Nvme devices /dev/nvme[0-9]* rwk, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 7c57f946..4ce618ef 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -12,6 +12,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index c74ad295..128a4708 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -26,6 +26,8 @@ profile fc-cache @{exec_path} { /var/tmp/mkinitramfs_*/{**,} rwl, + owner @{user_cache_dirs}/ w, + # Silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index 61c6cf8d..d7f8cb35 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -22,10 +22,11 @@ profile gpgconf @{exec_path} { @{bin}/gpg-connect-agent rPx, @{bin}/gpg{,2} rPx, @{bin}/gpgsm rPx, - @{bin}/pinentry-* rPx, + @{bin}/pinentry{,-*} rPx, @{bin}/scdaemon rPx, + @{lib}/{,gnupg/}keyboxd rPUx, @{lib}/{,gnupg/}scdaemon rPx, - @{lib}/keyboxd rPUx, + @{lib}/{,gnupg/}tpm2daemon rPUx, /etc/gcrypt/hwf.deny r, /etc/gnupg/gpgconf.conf r, diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index e6728a60..fe83e168 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -17,9 +17,11 @@ profile archlinux-java @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, @{bin}/dirname rix, + @{bin}/find rix, @{bin}/id rix, @{bin}/ln rix, @{bin}/readlink rix, + @{bin}/sort rix, @{bin}/unlink rix, @{lib}/jvm/default w, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index af43fb04..05a21d41 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -21,6 +21,8 @@ profile ssh-keygen @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ w, owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, + /tmp/snapd@{int}/*_*{,.pub} w, + /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd/systemd-generator-cloud-init index 2737a94f..698a4fcb 100644 --- a/apparmor.d/groups/systemd/systemd-generator-cloud-init +++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init @@ -15,6 +15,7 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/ln rix, @{bin}/mkdir rix, @{bin}/systemd-detect-virt rPx, @{lib}/cloud-init/ds-identify rPUx, @@ -22,6 +23,9 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/ w, @{run}/cloud-init/cloud-init-generator.* rw, @{run}/cloud-init/disabled w, + @{run}/cloud-init/enabled w, + @{run}/systemd/generator.early/multi-user.target.wants/ w, + @{run}/systemd/generator.early/multi-user.target.wants/cloud-init.target w, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab index 55736d14..193ff22a 100644 --- a/apparmor.d/groups/systemd/systemd-generator-fstab +++ b/apparmor.d/groups/systemd/systemd-generator-fstab @@ -19,7 +19,7 @@ profile systemd-generator-fstab @{exec_path} { /etc/fstab r, - @{run}/systemd/generator/** w, + @{run}/systemd/generator/** rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 04cbbaf5..a169a59d 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -31,6 +31,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{etc_rw}/.#hostname* rw, @{etc_rw}/hostname rw, + /etc/.#machine-info@{hex16} rw, /etc/.#machine-info@{rand6} rw, /etc/machine-id r, /etc/machine-info rw, diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify index aafb0d74..f62599d2 100644 --- a/apparmor.d/groups/systemd/systemd-notify +++ b/apparmor.d/groups/systemd/systemd-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemd-notify profile systemd-notify @{exec_path} { include + include capability sys_admin, capability net_admin, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 0e3a99ba..177431f9 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/userdbctl profile userdbctl @{exec_path} { include + include include capability dac_read_search, capability sys_resource, + signal send set=cont peer=child-pager, + @{exec_path} mr, @{pager_path} rPx -> child-pager, @@ -21,7 +24,9 @@ profile userdbctl @{exec_path} { /etc/shadow r, /etc/gshadow r, - @{PROC}/1/cgroup r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/uid_map r, include if exists } diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 60569edd..2dcf5074 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -20,6 +20,7 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/{,**} r, /var/lib/ubuntu-advantage/apt-esm/{,**} rw, + /var/log/ubuntu-advantage-apt-hook.log w, @{run}/cloud-init/cloud-id-nocloud r, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index bb4fe073..b2c18104 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -44,6 +44,8 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/mounts r, + deny network netlink raw, # file_inherit + include if exists } diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 96d78b80..7368d7c3 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -72,9 +72,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{user_share_dirs}/ r, owner @{user_share_dirs}/flatpak/{,**} rwl, - /tmp/#@{int} rw, - owner /dev/shm/flatpak*/{,**} rw, + owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, + owner /dev/shm/flatpak*/{,**} rw, @{run}/.userns r, @{run}/user/@{uid}/.dbus-proxy/ w, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index e765a5dc..e27e226c 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -10,6 +10,10 @@ include profile landscape-sysinfo.wrapper @{exec_path} { include + capability dac_override, + capability fowner, + capability fsetid, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 1f32df8c..37a1c90a 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,6 +22,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace (read), + mqueue r type=posix /, + @{exec_path} mrix, @{sh_path} rix, @@ -76,8 +78,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include include + capability sys_resource, capability net_admin, + signal send set=term peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + include if exists } diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree index bd2265e3..4b75a036 100644 --- a/apparmor.d/profiles-m-r/pstree +++ b/apparmor.d/profiles-m-r/pstree @@ -18,6 +18,8 @@ profile pstree @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/terminfo/** r, + @{PROC} r, @{PROC}/@{pids}/attr/current r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index e6ded095..d51c65d4 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -121,9 +121,11 @@ profile snapd @{exec_path} { /var/cache/apparmor/*/snap* rw, /tmp/ r, + /tmp/read-file@{int}/{,**} rw, + /tmp/snapd@{int}/ rw, + /tmp/snapd@{int}/** rw, /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - /tmp/read-file@{int}/{,**} rw, /boot/ r, /boot/grub/grubenv r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 49df90aa..ca9f66d2 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -29,6 +29,9 @@ profile sudo @{exec_path} flags=(attach_disconnected) { signal (send) set=(winch) peer=child-pager, signal (send) set=(winch) peer=journalctl, signal (send) set=(winch) peer=pacman, + signal (send) set=(winch, hup, term) peer=rpm, + + unix bind type=stream addr=@@{hex16}/bus/sudo/system/, @{bin}/@{shells} rUx, @{lib}/** PUx, diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index 69f28da3..56b89fa2 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -7,11 +7,18 @@ abi , include @{exec_path} = @{bin}/uuidd -profile uuidd @{exec_path} { +profile uuidd @{exec_path} flags=(attach_disconnected) { include + include + + network inet dgram, @{exec_path} mr, + owner /var/lib/libuuid/clock.txt rwk, + + @{att}/@{run}/uuidd/request w, + include if exists } diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/profiles-s-z/uuidgen index 56e8abef..c056daaa 100644 --- a/apparmor.d/profiles-s-z/uuidgen +++ b/apparmor.d/profiles-s-z/uuidgen @@ -11,8 +11,14 @@ profile uuidgen @{exec_path} { include include + network inet dgram, + @{exec_path} mr, + owner /var/lib/libuuid/clock.txt w, + + @{run}/uuidd/request w, + include if exists } diff --git a/tests/bats/aa-enforce.bats b/tests/bats/aa-enforce.bats index 913eedce..05f311ca 100644 --- a/tests/bats/aa-enforce.bats +++ b/tests/bats/aa-enforce.bats @@ -7,6 +7,7 @@ load common setup_file() { aa_setup + skip } # bats test_tags=aa-enforce diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats index ef6a292d..a54dda82 100644 --- a/tests/bats/snap.bats +++ b/tests/bats/snap.bats @@ -7,6 +7,7 @@ load common setup_file() { aa_setup + skip } # bats test_tags=snap