From e5ce66d1ca7e87ce956e90fc2c6253da07af591d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 2 Apr 2021 10:46:28 +0100 Subject: [PATCH] Add NetworkManager profiles. --- apparmor.d/groups/network/NetworkManager | 79 +++++++++++++++++++ apparmor.d/groups/network/nm-dhcp-helper | 16 ++++ apparmor.d/groups/network/nm-dispatcher | 20 +++++ apparmor.d/groups/network/nm-iface-helper | 16 ++++ apparmor.d/groups/network/nm-initrd-generator | 16 ++++ .../groups/network/nm-openvpn-auth-dialog | 16 ++++ apparmor.d/groups/network/nm-openvpn-service | 34 ++++++++ .../network/nm-openvpn-service-openvpn-helper | 16 ++++ 8 files changed, 213 insertions(+) create mode 100644 apparmor.d/groups/network/NetworkManager create mode 100644 apparmor.d/groups/network/nm-dhcp-helper create mode 100644 apparmor.d/groups/network/nm-dispatcher create mode 100644 apparmor.d/groups/network/nm-iface-helper create mode 100644 apparmor.d/groups/network/nm-initrd-generator create mode 100644 apparmor.d/groups/network/nm-openvpn-auth-dialog create mode 100644 apparmor.d/groups/network/nm-openvpn-service create mode 100644 apparmor.d/groups/network/nm-openvpn-service-openvpn-helper diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager new file mode 100644 index 00000000..c11a2d43 --- /dev/null +++ b/apparmor.d/groups/network/NetworkManager @@ -0,0 +1,79 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}bin/NetworkManager +profile NetworkManager @{exec_path} flags=(attach_disconnected complain) { + include + include + include + include + + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + network inet raw, + network inet6 raw, + network netlink raw, + network packet dgram, + + capability net_admin, + capability net_raw, + capability net_bind_service, + capability dac_override, + capability audit_write, + + @{exec_path} mr, + + /{usr/,}lib/nm-dhcp-helper rPx, + /{usr/,}lib/nm-dispatcher rPx, + /{usr/,}lib/nm-iface-helper rPx, + /{usr/,}lib/nm-initrd-generator rPx, + /{usr/,}lib/nm-openvpn-auth-dialog rPx, + /{usr/,}lib/nm-openvpn-service rPx, + /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx, + + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/{,ba,da}sh rix, + + /etc/ r, + /etc/resolv.conf rw, + /etc/resolv.conf.[0-9A-Z]* rw, + + /etc/NetworkManager/{,**} r, + /etc/NetworkManager/system-connections/{,**} w, + + /etc/machine-id r, + /var/lib/NetworkManager/{,**} rw, + + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/net/** rw, + @{PROC}/sys/kernel/random/boot_id r, + + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/rfkill/ r, + @{sys}/class/net/ r, + @{sys}/class/net/rfkill/ r, + + @{run}/NetworkManager/{,**} rw, + @{run}/systemd/inhibit/[0-9]*.ref rw, + @{run}/udev/data/n[0-9]* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform* r, + @{run}/udev/data/+pci* r, + + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/net/lo/{,*} r, + @{sys}/devices/virtual/net/tun0/{,**} r, + @{sys}/devices/pci[0-9]*/**/net/*/{,**} r, + @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r, + + include if exists +} diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper new file mode 100644 index 00000000..82d39772 --- /dev/null +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/nm-dhcp-helper +profile nm-dhcp-helper @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher new file mode 100644 index 00000000..8945157e --- /dev/null +++ b/apparmor.d/groups/network/nm-dispatcher @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/nm-dispatcher +profile nm-dispatcher @{exec_path} { + include + + capability sys_nice, + + @{exec_path} mr, + + /etc/NetworkManager/dispatcher.d/{,**} r, + + include if exists +} diff --git a/apparmor.d/groups/network/nm-iface-helper b/apparmor.d/groups/network/nm-iface-helper new file mode 100644 index 00000000..380e2763 --- /dev/null +++ b/apparmor.d/groups/network/nm-iface-helper @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/nm-iface-helper +profile nm-iface-helper @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/network/nm-initrd-generator b/apparmor.d/groups/network/nm-initrd-generator new file mode 100644 index 00000000..4f60db28 --- /dev/null +++ b/apparmor.d/groups/network/nm-initrd-generator @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/nm-initrd-generator +profile nm-initrd-generator @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/network/nm-openvpn-auth-dialog b/apparmor.d/groups/network/nm-openvpn-auth-dialog new file mode 100644 index 00000000..7ae74f03 --- /dev/null +++ b/apparmor.d/groups/network/nm-openvpn-auth-dialog @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/nm-openvpn-auth-dialog +profile nm-openvpn-auth-dialog @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service new file mode 100644 index 00000000..055b221f --- /dev/null +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/nm-openvpn-service +profile nm-openvpn-service @{exec_path} { + include + include + + signal peer=openvpn, + + @{exec_path} mr, + + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}{s,}bin/openvpn rPx, + /{usr/,}lib/nm-openvpn-auth-dialog rPx, + /{usr/,}lib/nm-openvpn-service-openvpn-helper rPx, + /{usr/,}bin/kmod rPx, + + @{run}/systemd/userdb/ r, + @{run}/NetworkManager/nm-openvpn-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + /dev/net/tun rw, + /dev/tty rw, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} diff --git a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper new file mode 100644 index 00000000..bf2a1304 --- /dev/null +++ b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}lib/nm-openvpn-service-openvpn-helper +profile nm-openvpn-service-openvpn-helper @{exec_path} { + include + + @{exec_path} mr, + + include if exists +}