From ee658c41a6e68aeadafbe963d82d7d7c4f3cc197 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 9 Nov 2023 17:29:34 +0000 Subject: [PATCH] refractor(profiles): improve child profile structure. --- apparmor.d/groups/children/child-dpkg | 5 +++-- apparmor.d/groups/children/child-dpkg-divert | 5 +++-- apparmor.d/groups/children/child-open | 8 +++----- apparmor.d/groups/children/child-pager | 6 ++---- apparmor.d/groups/children/child-systemctl | 4 ++-- 5 files changed, 13 insertions(+), 15 deletions(-) diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index e3a25162..97af4a25 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Note: This profile does not specify an attachment path because it is @@ -12,7 +13,7 @@ abi , include -# Do not attach to @{bin}/dpkg by default +@{exec_path} = @{bin}/dpkg profile child-dpkg { include include @@ -21,7 +22,7 @@ profile child-dpkg { capability dac_read_search, capability setgid, - @{bin}/dpkg mr, + @{exec_path} mr, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index ebcc6ae3..deb35514 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Note: This profile does not specify an attachment path because it is @@ -12,11 +13,11 @@ abi , include -# Do not attach to @{bin}/dpkg-divert by default +@{exec_path} = @{bin}/dpkg-divert profile child-dpkg-divert { include - @{bin}/dpkg-divert mr, + @{exec_path} mr, /var/lib/dpkg/arch r, /var/lib/dpkg/status r, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index b0ff2d7e..f7ffc320 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -16,7 +16,8 @@ abi , include -# App allowed to open +@{exec_path} = @{bin}/exo-open @{bin}/xdg-open +@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop profile child-open { include include @@ -24,10 +25,7 @@ profile child-open { include include - @{bin}/exo-open mr, - @{bin}/xdg-open mr, - @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mrix, - @{lib}/gio-launch-desktop mrix, + @{exec_path} mrix, @{bin}/{,ba,da}sh rix, @{bin}/{,m,g}awk rix, diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index 0489a612..1326cb8f 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -13,7 +13,7 @@ abi , include -# Do not attach to @{bin}/pager by default +@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more profile child-pager { include include @@ -24,9 +24,7 @@ profile child-pager { signal (receive) set=(stop, cont, term, kill), @{bin}/ r, - @{bin}/pager mr, - @{bin}/less mr, - @{bin}/more mr, + @{exec_path} mr, @{system_share_dirs}/terminfo/{,**} r, diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl index 92c32104..fd599740 100644 --- a/apparmor.d/groups/children/child-systemctl +++ b/apparmor.d/groups/children/child-systemctl @@ -13,7 +13,7 @@ abi , include -# Do not attach to @{bin}/systemctl by default +@{exec_path} = @{bin}/systemctl profile child-systemctl flags=(attach_disconnected) { include include @@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) { interface=org.freedesktop.systemd[0-9].Manager member=GetUnitFileState, - @{bin}/systemctl mr, + @{exec_path} mr, /etc/machine-id r, /etc/systemd/user/{,**} rwl,