From e93e80ee2094ee5e4df35e87e78d5e359e736de3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 4 Feb 2023 23:55:14 +0000 Subject: [PATCH] feat(opensuse): final opensuse integration. --- apparmor.d/groups/gpg/gpgconf | 5 +++- apparmor.d/groups/gpg/gpgsm | 3 +++ apparmor.d/groups/systemd/localectl | 2 ++ apparmor.d/groups/systemd/systemd-hostnamed | 14 +++++------ apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/systemd/systemd-tmpfiles | 1 + .../systemd/systemd-xdg-autostart-generator | 2 +- apparmor.d/groups/virt/cockpit-session | 4 ++-- apparmor.d/profiles-a-f/agetty | 2 ++ apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-g-l/htop | 1 + apparmor.d/profiles-g-l/irqbalance | 5 ++++ apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/logrotate | 21 ++++++++-------- apparmor.d/profiles-m-r/packagekitd | 24 +++++++++++++++++-- apparmor.d/profiles-m-r/pam/mappings | 6 ++--- apparmor.d/profiles-m-r/pcscd | 11 +++++++-- apparmor.d/profiles-s-z/spice-vdagent | 2 ++ apparmor.d/profiles-s-z/sysctl | 3 ++- apparmor.d/profiles-s-z/wpa-supplicant | 2 ++ 20 files changed, 80 insertions(+), 32 deletions(-) diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index 74b03e29..1ceba233 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2017-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -17,7 +18,7 @@ profile gpgconf @{exec_path} { @{exec_path} mrix, /{usr/,}bin/gpg-connect-agent rPx, - /{usr/,}bin/gpg rPUx, + /{usr/,}bin/gpg{,2} rPUx, /{usr/,}bin/gpg-agent rPx, /{usr/,}bin/dirmngr rPx, /{usr/,}bin/gpgsm rPx, @@ -25,6 +26,8 @@ profile gpgconf @{exec_path} { /{usr/,}bin/pinentry-* rPx, + /etc/gcrypt/hwf.deny r, + owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{run}/user/@{uid}/gnupg/ w, owner @{run}/user/@{uid}/gnupg/** rwkl -> @{run}/user/@{uid}/gnupg/**, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 9f231c4f..416ab990 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -15,6 +16,8 @@ profile gpgsm @{exec_path} { @{exec_path} mr, + /etc/gcrypt/hwf.deny r, + deny /usr/bin/.gnupg/ w, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 2b3821df..75809d3c 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -11,6 +11,8 @@ profile localectl @{exec_path} { include include + capability net_admin, + @{exec_path} mr, /{usr/,}bin/less rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 8e2625c4..57227730 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -35,6 +35,12 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/.#hostname* rw, + /etc/.#machine-info?????? rw, + /etc/hostname rw, + /etc/machine-info rw, + + @{run}/systemd/default-hostname rw, @{run}/systemd/notify rw, @{run}/udev/data/+dmi:id r, @@ -46,15 +52,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, - @{sys}/firmware/dmi/entries/*/raw r, - /etc/.#hostname* rw, - /etc/.#machine-info?????? rw, - /etc/hostname rw, - /etc/machine-info rw, - - @{run}/udev/data/+dmi:id r, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c2a6be9e..a7f8c16b 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -31,6 +31,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/language-fallback-map r, /usr/share/X11/xkb/rules/evdev r, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index ac0d631f..61b3ae3e 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -19,6 +19,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { capability fsetid, capability mknod, capability net_admin, + capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-xdg-autostart-generator b/apparmor.d/groups/systemd/systemd-xdg-autostart-generator index 1bb46713..add15a2b 100644 --- a/apparmor.d/groups/systemd/systemd-xdg-autostart-generator +++ b/apparmor.d/groups/systemd/systemd-xdg-autostart-generator @@ -16,7 +16,7 @@ profile systemd-xdg-autostart-generator @{exec_path} { @{exec_path} mr, - /etc/xdg/autostart/{,*.desktop} r, + @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 5601ea91..72db62cd 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -25,10 +25,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,z,ba,da}sh rix, /{usr/,}bin/cockpit-bridge rPx, - /etc/environment r, + @{etc_ro}/environment r, /etc/group r, /etc/motd r, - /etc/security/limits.d/{,*.conf} r, + @{etc_ro}/security/limits.d/{,*.conf} r, /etc/shells r, @{run}/faillock/[a-zA-z0-9]* rwk, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 8f615b7d..8b18ba5d 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -17,6 +17,8 @@ profile agetty @{exec_path} { capability sys_tty_config, capability chown, + network netlink raw, + @{exec_path} mr, /{usr/,}bin/login rPx, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index edfd4977..0e12b51f 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -87,6 +87,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { /boot/EFI/*/.goutputstream-* rw, /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, /boot/EFI/*/fwupdx[0-9]*.efi rw, + @{libexec}/fwupd/efi/fwupdx[0-9]*.efi r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop index 24df2cc8..5e92177d 100644 --- a/apparmor.d/profiles-g-l/htop +++ b/apparmor.d/profiles-g-l/htop @@ -79,6 +79,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/task/@{tid}/status r, @{PROC}/@{pids}/task/@{tid}/wchan r, + @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 2e60584e..a64f35fd 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -10,6 +10,10 @@ include profile irqbalance @{exec_path} { include + capability setpcap, + + network netlink raw, + @{exec_path} mr, @{run}/irqbalance/irqbalance[0-9]*.sock w, @@ -25,6 +29,7 @@ profile irqbalance @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/ r, @{sys}/devices/system/node/node[0-9]*/{cpumap,meminfo} r, + @{sys}/devices/system/cpu/nohz_full r, @{PROC}/interrupts r, @{PROC}/irq/[0-9]*/node r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 1cc19239..d8d7d3d6 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -26,7 +26,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/false rix, - /{usr/,}bin/sysctl rPx, + /{usr/,}{s,}bin/sysctl rPx, /{usr/,}bin/true rix, /{usr/,}lib/modprobe.d/{,*.conf} r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index db9073cd..34beb360 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -29,21 +29,22 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { /{usr/,}{s,}bin/ r, + /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, /{usr/,}bin/grep rix, - /{usr/,}bin/shred rix, + /{usr/,}bin/gzip rix, /{usr/,}bin/kill rix, /{usr/,}bin/ls rix, - /{usr/,}bin/gzip rix, + /{usr/,}bin/shred rix, + /{usr/,}bin/xz rix, /{usr/,}bin/zstd rix, - /{usr/,}{s,}bin/invoke-rc.d rix, /{usr/,}lib/rsyslog/rsyslog-rotate rix, /{usr/,}bin/fail2ban-client rPx, - /{usr/,}bin/systemd-tty-ask-password-agent rPx, /{usr/,}bin/my_print_defaults rPUx, /{usr/,}bin/mysqladmin rPUx, + /{usr/,}bin/systemd-tty-ask-password-agent rPx, /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx, # no new privs @@ -59,22 +60,20 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - owner @{run}/systemd/private rw, - /etc/ r, /etc/logrotate.conf rk, /etc/logrotate.d/ r, /etc/logrotate.d/* rk, - /var/lib/logrotate/status rwk, - /var/lib/logrotate/status.tmp rw, - /var/lib/logrotate.status rwk, - /var/lib/logrotate.status.tmp rw, - / r, /var/log{,.hdd}/ r, /var/log{,.hdd}/** rw, + /var/lib/{,misc/}logrotate/status rwk, + /var/lib/{,misc/}logrotate/status.tmp rw, + /var/lib/{,misc/}logrotate.status rwk, + /var/lib/{,misc/}logrotate.status.tmp rw, + @{run}/systemd/private rw, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index cb8412ab..0599faf6 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -88,17 +88,22 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/echo rix, /{usr/,}bin/gdbus rix, + /{usr/,}bin/gzip rix, /{usr/,}bin/ischroot rix, + /{usr/,}bin/repo2solv rix, + /{usr/,}bin/tar rix, /{usr/,}bin/test rix, /{usr/,}bin/touch rix, /{usr/,}bin/appstreamcli rPx, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/glib-compile-schemas rPx, + /{usr/,}bin/systemd-inhibit rPx, /{usr/,}bin/update-desktop-database rPx, /{usr/,}lib/apt/methods/* rPx, /{usr/,}lib/cnf-update-db rPx, /{usr/,}lib/update-notifier/update-motd-updates-available rPx, + /{usr/,}lib/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, # Install/update packages @@ -113,11 +118,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner /tmp/packagekit* rw, + @{run}/zypp.pid rwk, # only: opensuse @{run}/systemd/inhibit/*.ref rw, owner @{run}/systemd/users/@{uid} r, + @{sys}/**/ r, + @{sys}/devices/**/modalias r, + @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, + @{PROC}/sys/kernel/random/uuid r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -131,11 +141,21 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/gpgconf mr, /{usr/,}bin/gpgsm mr, + /{usr/,}bin/gpg-agent rix, + /{usr/,}bin/scdaemon rix, + + /etc/gcrypt/hwf.deny r, @{HOME}/@{XDG_GPG_DIR}/*.conf r, - owner /etc/pacman.d/gnupg/ r, - owner /etc/pacman.d/gnupg/** rwkl -> /tmp/ostree-gpg-*/**, + owner /etc/pacman.d/gnupg/ r, # only: arch + owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**, + + owner /var/tmp/zypp.*/zypp-trusted-*/ r, # only: opensuse + owner /var/tmp/zypp.*/zypp-trusted-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, } diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings index abde85d6..2ee5617d 100644 --- a/apparmor.d/profiles-m-r/pam/mappings +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -19,7 +19,7 @@ capability setgid, capability setuid, /etc/default/su r, - /etc/environment r, + @{etc_ro}/environment r, @{HOMEDIRS}/.xauth* w, /{usr/,}bin/{,b,d,rb}ash Px -> default_user, /{usr/,}bin/{c,k,tc,z}sh Px -> default_user, @@ -41,7 +41,7 @@ /{usr/,}bin/{c,k,tc,z}sh Px -> confined_user, /etc/default/su r, - /etc/environment r, + @{etc_ro}/environment r, @{HOMEDIRS}/.xauth* w, } @@ -63,7 +63,7 @@ /{usr/,}bin/{c,k,tc,z}sh Ux, /etc/default/su r, - /etc/environment r, + @{etc_ro}/environment r, @{HOMEDIRS}/.xauth* w, } diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index ab995822..c552664b 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -6,19 +6,26 @@ abi , include -@{exec_path} = /{usr/,}bin/pcscd +@{exec_path} = /{usr/,}{s,}bin/pcscd profile pcscd @{exec_path} { include include network netlink raw, + ptrace (read) peer=rngd, + ptrace (read) peer=pkcs11-register, + @{exec_path} mr, /etc/libccid_Info.plist r, - /etc/reader.conf.d/{,libccidtwin} r, + /etc/reader.conf.d/ r, + /etc/reader.conf.d/libccidtwin r, + /etc/reader.conf.d/reader.conf r, owner @{run}/pcscd/{,pcscd.pid} rw, + owner @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 0402b79c..768a080e 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -58,5 +58,7 @@ profile spice-vdagent @{exec_path} { /dev/dri/card[0-9]* rw, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 04bfaab9..df73736b 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/sysctl +@{exec_path} = /{usr/,}{s,}bin/sysctl profile sysctl @{exec_path} { include @@ -16,6 +16,7 @@ profile sysctl @{exec_path} { @{exec_path} mr, + /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, /usr/lib/sysctl.d/{,**} r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index f63cf5dd..a93b53d3 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -42,6 +42,8 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { /etc/wpa_supplicant/wpa_supplicant.conf.tmp rw, /etc/libnl/{classid,pktloc} r, + /var/log/wpa_supplicant.log rw, + @{HOME}/.cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw,