diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 02cfe59a..b7ee1e98 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -88,6 +88,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/snap rPUx, /{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, + @{libexec}/zsys-system-autosnapshot rPx, # For building the source after the download process is finished (apt-get source --compile) /{usr/,}bin/dpkg-buildpackage rPUx, diff --git a/apparmor.d/groups/apt/apt-listbugs-aptcleanup b/apparmor.d/groups/apt/apt-listbugs-aptcleanup index b0f784cc..a192732b 100644 --- a/apparmor.d/groups/apt/apt-listbugs-aptcleanup +++ b/apparmor.d/groups/apt/apt-listbugs-aptcleanup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup +@{exec_path} = @{libexec}/apt-listbugs/aptcleanup profile apt-listbugs-aptcleanup @{exec_path} { include include diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index fef665e7..cc5beefe 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/libexec/apt-listbugs/migratepins +@{exec_path} = @{libexec}/apt-listbugs/migratepins profile apt-listbugs-migratepins @{exec_path} { include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index b3ac117d..2a5a060b 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member=StateChanged, + member={CheckPermissions,StateChanged}, @{exec_path} mr, @@ -74,11 +74,14 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/apt/methods/http{,s} rPx, /{usr/,}lib/needrestart/apt-pinvoke rPx, /{usr/,}lib/update-notifier/update-motd-updates-available rPx, + @{libexec}/zsys-system-autosnapshot rPx, /usr/share/distro-info/* r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, + /etc/update-manager/{,**} r, + /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 80ddfe97..65b04664 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -35,6 +35,7 @@ profile do-release-upgrade @{exec_path} { /etc/machine-id r, /etc/update-manager/{,**} r, + /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, /var/lib/update-manager/* rw, /var/cache/apt/pkgcache.bin{,.*} rw, diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index ae1a42b7..5e8adc42 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -15,11 +15,13 @@ profile release-upgrade-motd @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/date rix, /{usr/,}bin/expr rix, + /{usr/,}bin/id rix, /{usr/,}bin/stat rix, /{usr/,}bin/do-release-upgrade rPx, /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, + @{PROC}/filesystems r, include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index cfd13ccf..eaf3104d 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -25,7 +25,7 @@ profile mount-zfs @{exec_path} flags=(complain) { mount fstype=zfs -> @{MOUNTS}/, mount fstype=zfs -> @{MOUNTS}/*/, mount fstype=zfs -> /, - mount fstype=zfs -> /*/, + mount fstype=zfs -> /**/, mount fstype=zfs -> /tmp/zfsmnt.*/, mount fstype=zfs -> /tmp/zfsmnt.*/*/, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 8c090bdb..ed41a2e3 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -37,6 +37,7 @@ profile sudo @{exec_path} { signal (send) peer=unconfined, signal (send) set=(cont,hup) peer=su, + signal (send) set=winch peer=apt, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 8fb872dc..77dae7f0 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -22,7 +22,7 @@ profile zpool @{exec_path} { /etc/zfs/*.cache rwk, @{run}/blkid/blkid.tab rw, - @{run}/blkid/blkid.tab.old l, + @{run}/blkid/blkid.tab.old rwl, @{run}/blkid/blkid.tab-* rwl, @{sys}/bus/pci/slots/ r, @@ -34,5 +34,5 @@ profile zpool @{exec_path} { /dev/pts/[0-9]* rw, /dev/zfs rw, - include if exists + include if exists } diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot new file mode 100644 index 00000000..5533c020 --- /dev/null +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/zsys-system-autosnapshot +profile zsys-system-autosnapshot flags=(complain) @{exec_path} { + include + + @{exec_path} rm, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/zsysctl rix, + /{usr/,}bin/zsysd rix, + + /{usr/,}lib/locale/locale-archive r, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + @{run}/zsys-bootmenu.unattended-upgrades rw, + @{run}/zsys-snapshot.unattended-upgrades rw, + @{run}/unattended-upgrades.pid r, + + @{PROC}/filesystems r, + + /dev/pts/[0-9]* rw, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd new file mode 100644 index 00000000..b9e94212 --- /dev/null +++ b/apparmor.d/profiles-s-z/zsysd @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{s,}bin/zsysd /{usr/,}{s,}bin/zsysctl +profile zsysctl @{exec_path} flags=(complain) { + include + include + + @{exec_path} rm, + /{usr/,}bin/zsysctl rix, + /{usr/,}bin/zsysd rix, + + /etc/hostid r, + /etc/passwd r, + /etc/nsswitch.conf r, + /etc/zsys.conf r, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + @{run}/systemd/notify rw, + @{run}/unattended-upgrades.pid r, + @{run}/zsys-snapshot.unattended-upgrades rw, + @{run}/zsysd.sock rw, + + @{PROC}/@{pids}/mounts r, + @{PROC}/filesystems r, + @{PROC}/sys/kernel/spl/hostid r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + /dev/pts/[0-9]* rw, + /dev/zfs rw, + + include if exists +}