From d7be27411bb60b6b06d8e1cbedefdbfdaf8974c4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Mar 2022 19:56:11 +0000 Subject: [PATCH] Update profiles. --- apparmor.d/profiles-a-f/aa-enabled | 1 + apparmor.d/profiles-a-f/adb | 9 ++-- apparmor.d/profiles-a-f/apparmor.systemd | 13 ++--- apparmor.d/profiles-a-f/apparmor_parser | 3 +- apparmor.d/profiles-a-f/dhclient-script | 8 +-- apparmor.d/profiles-a-f/dmesg | 7 ++- apparmor.d/profiles-a-f/exim4 | 1 + apparmor.d/profiles-g-l/htop | 2 +- apparmor.d/profiles-g-l/ifup | 14 ++--- apparmor.d/profiles-m-r/mandb | 2 + apparmor.d/profiles-m-r/nvtop | 2 + apparmor.d/profiles-m-r/resize2fs | 5 ++ apparmor.d/profiles-m-r/resolvconf | 3 ++ apparmor.d/profiles-s-z/scrcpy | 3 ++ apparmor.d/profiles-s-z/usr.bin.tcpdump | 65 ------------------------ 15 files changed, 49 insertions(+), 89 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/usr.bin.tcpdump diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/profiles-a-f/aa-enabled index 0fc8180e..d377a30a 100644 --- a/apparmor.d/profiles-a-f/aa-enabled +++ b/apparmor.d/profiles-a-f/aa-enabled @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}bin/aa-enabled profile aa-enabled @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb index a00b3a40..bbc41e1d 100644 --- a/apparmor.d/profiles-a-f/adb +++ b/apparmor.d/profiles-a-f/adb @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,15 +11,15 @@ include @{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb profile adb @{exec_path} { include - include include + include include - # For adb kill-server: - # cannot connect to daemon at tcp:5037: Permission denied network inet stream, network inet6 stream, + signal (receive) set=(kill) peer=scrcpy, + @{exec_path} mrix, /usr/share/scrcpy/scrcpy-server r, diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index 297d3f54..d20aa7b6 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -13,14 +13,15 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/getconf rix, - /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/ls rix, - /{usr/,}bin/xargs rix, /{usr/,}{s,}bin/aa-status rPx, /{usr/,}{s,}bin/apparmor_parser rPx, - + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{,e}grep rix, + /{usr/,}bin/getconf rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/systemd-detect-virt rPx, + /{usr/,}bin/xargs rix, + /{usr/,}lib/apparmor/rc.apparmor.functions r, /etc/apparmor.d/ r, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 46e6ae2d..000b4ce4 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/apparmor_parser +@{exec_path} = /{usr/,}{s,}bin/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include @@ -18,6 +18,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { /etc/apparmor.d/{,**} r, /etc/apparmor.d/cache.d/{,**} rw, + /usr/share/apparmor-features/{,**} r, /usr/share/apparmor/{,**} r, owner /var/cache/apparmor/{,**} rw, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 4aaf87a9..44150396 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -57,7 +57,8 @@ profile dhclient-script @{exec_path} { /{usr/,}bin/ip rix, # For loadbalance - /etc/iproute2/** r, + /etc/iproute2/rt_tables r, + /etc/iproute2/rt_tables.d/{,*} r, owner @{PROC}/@{pid}/loginuid r, # For updating the /etc/resolv.conf file @@ -90,8 +91,7 @@ profile dhclient-script @{exec_path} { @{run}/chrony-dhcp/ rw, # file_inherit - /var/lib/dhcp/*.leases r, - + /var/lib/dhcp/dhclient.leases r, profile run-parts { include @@ -101,7 +101,7 @@ profile dhclient-script @{exec_path} { /etc/dhcp/dhclient-{enter,exit}-hooks.d/ r, # file_inherit - /var/lib/dhcp/*.leases r, + owner /var/lib/dhcp/dhclient.leases r, } diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 290eb948..cd7fee04 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# 2021 Alexandre Pujol +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2021-2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -23,5 +23,8 @@ profile dmesg @{exec_path} { /dev/kmsg r, /usr/share/terminfo/{,**} r, + deny /{usr/,}local/bin/ r, + deny /{usr/,}bin/{,*/} r, + include if exists } diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 551a0fc2..c1fa80ed 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -67,6 +67,7 @@ profile exim4 @{exec_path} { @{run}/exim4/ r, owner @{run}/exim4/exim.pid rw, + @{run}/resolvconf/resolv.conf r, owner @{run}/dbus/system_bus_socket rw, # file_inherit diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 6f488b4d..eb8f03e0 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -18,7 +18,6 @@ profile htop @{exec_path} { capability sys_nice, capability sys_ptrace, - signal (send), ptrace (read), @@ -31,6 +30,7 @@ profile htop @{exec_path} { /etc/sensors.d/ r, /etc/sensors3.conf r, + owner @{user_config_dirs}/ r, owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/htoprc rw, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 33358331..a1a94ce6 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,9 +11,7 @@ include profile ifup @{exec_path} { include - # To be able to manage network interfaces. capability net_admin, - # Needed? audit deny capability sys_module, @@ -20,13 +19,15 @@ profile ifup @{exec_path} { @{exec_path} mr, + /{usr/,}{s,}bin/route rix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/ip rix, - /{usr/,}bin/sleep rix, /{usr/,}bin/seq rix, + /{usr/,}bin/sleep rix, + /{usr/,}bin/wc rix, /{usr/,}{s,}bin/dhclient rPx, - /{usr/,}bin/macchanger rPx, + /{usr/,}bin/macchanger rPx, /{usr/,}lib/ifupdown/*.sh rix, @@ -80,9 +81,10 @@ profile ifup @{exec_path} { /etc/network/if-pre-up.d/random-secret rPUx, /etc/network/if-up.d/ r, + /etc/network/if-up.d/*resolvconf rPUx, + /etc/network/if-up.d/chrony rPUx, /etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ifenslave rPUx, - /etc/network/if-up.d/chrony rPUx, /etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/wpasupplicant rPUx, @@ -107,7 +109,7 @@ profile ifup @{exec_path} { include # capability mac_admin, -# capability sys_admin, + capability sys_admin, # capability sys_resource, /{usr/,}sbin/sysctl mr, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index c60added..24d0a66d 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -13,6 +13,8 @@ profile mandb @{exec_path} flags=(complain) { include include + capability dac_read_search, + @{exec_path} mr, /etc/man_db.conf r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index dafe4c86..9640ce9a 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -13,6 +13,8 @@ profile nvtop @{exec_path} { include include + capability sys_ptrace, + ptrace (read), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 6d0e0592..376a23a4 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -12,8 +12,13 @@ profile resize2fs @{exec_path} { include include + capability sys_resource, + @{exec_path} mr, + / r, + /.ismount-test-file rw, + @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index 75211986..d5b5fdb8 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -27,10 +27,13 @@ profile resolvconf @{exec_path} { /usr/lib/resolvconf/{,**} r, /etc/resolv.conf rw, + /etc/resolvconf/{,**} r, /etc/resolvconf/update.d/libc rix, owner @{run}/resolvconf/{,**} rw, owner @{run}/resolvconf/run-lock wk, + /dev/tty rw, + include if exists } \ No newline at end of file diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 36306651..c8ebcc87 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -12,10 +12,13 @@ profile scrcpy @{exec_path} { include include include + include network inet stream, network inet6 stream, + signal (send) set=(kill) peer=adb, + @{exec_path} mr, /{usr/,}bin/adb rPx, diff --git a/apparmor.d/profiles-s-z/usr.bin.tcpdump b/apparmor.d/profiles-s-z/usr.bin.tcpdump deleted file mode 100644 index a9099bb8..00000000 --- a/apparmor.d/profiles-s-z/usr.bin.tcpdump +++ /dev/null @@ -1,65 +0,0 @@ -# vim:syntax=apparmor -#include - -profile tcpdump /usr/bin/tcpdump { - #include - #include - #include - - capability net_raw, - capability setuid, - capability setgid, - capability dac_override, - capability chown, - network raw, - network packet, - - # for -D - @{PROC}/bus/usb/ r, - @{PROC}/bus/usb/** r, - - # for finding an interface - /dev/ r, - @{PROC}/[0-9]*/net/dev r, - /sys/bus/usb/devices/ r, - /sys/class/net/ r, - /sys/devices/**/net/** r, - - # for -j - capability net_admin, - - # for tracing USB bus, which libpcap supports - /dev/usbmon* r, - /dev/bus/usb/ r, - /dev/bus/usb/** r, - - # for init_etherarray(), with -e - /etc/ethers r, - - # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices()) - /dev/bus/usb/**/[0-9]* w, - - # for -z - /{usr/,}bin/gzip ixr, - /{usr/,}bin/bzip2 ixr, - - # for -F and -w - audit deny @{HOME}/.* mrwkl, - audit deny @{HOME}/.*/ rw, - audit deny @{HOME}/.*/** mrwkl, - audit deny @{HOME}/bin/ rw, - audit deny @{HOME}/bin/** mrwkl, - owner @{HOME}/ r, - owner @{HOME}/** rw, - - # for -r, -F and -w - /**.[pP][cC][aA][pP] rw, - /**.[cC][aA][pP] rw, - - # for convenience with -r (ie, read pcap files from other sources) - /var/log/snort/*log* r, - - /usr/bin/tcpdump mr, - - include if exists -}