feat(profiles): first set of rules for Ubuntu Core support.

apparmor.d/abstractions/nameservice-strict

@@ -19,6 +19,9 @@
   /var/lib/nscd/group r,
   /var/lib/nscd/passwd r,
 
+  /var/lib/extrausers/group  r,
+  /var/lib/extrausers/passwd r,
+
   @{run}/nscd/db* r,
   @{run}/systemd/resolve/stub-resolv.conf r,
 

apparmor.d/groups/apt/apt

@@ -58,7 +58,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
        member={CheckAuthorization,Introspect},
 
   dbus bind bus=system 
-       name= org.debian.apt,
+       name=org.debian.apt,
 
   @{exec_path} mr,
 
@@ -68,6 +68,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/{,e}grep   rix,
   /{usr/,}bin/echo       rix,
   /{usr/,}bin/gdbus      rix,
+  /{usr/,}bin/id         rix,
   /{usr/,}bin/ischroot   rix,
   /{usr/,}bin/test       rix,
   /{usr/,}bin/touch      rix,
@@ -88,6 +89,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/etckeeper                       rPx,
   /{usr/,}bin/ps                              rPx,
   /{usr/,}bin/snap                           rPUx,
+  /{usr/,}bin/systemctl                       rCx ->  systemctl,
   /{usr/,}lib/cnf-update-db                   rPx,
   /{usr/,}lib/needrestart/apt-pinvoke         rPx,
   @{libexec}/zsys-system-autosnapshot         rPx,
@@ -224,6 +226,31 @@ profile apt @{exec_path} flags=(attach_disconnected) {
 
   }
 
+  profile systemctl {
+    include <abstractions/base>
+
+    capability sys_resource,
+
+    ptrace (read),
+
+    /{usr/,}bin/systemctl mr,
+
+    /{usr/,}bin/systemd-tty-ask-password-agent rix,
+
+    owner @{run}/systemd/ask-password/ rw,
+    owner @{run}/systemd/ask-password-block/* rw,
+
+          @{PROC}/1/environ r,
+          @{PROC}/1/sched r,
+          @{PROC}/cmdline r,
+          @{PROC}/sys/kernel/osrelease r,
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/stat r,
+
+    /dev/kmsg w,
+
+  }
+
   include if exists <local/apt>
 }
 

apparmor.d/groups/apt/apt-methods-gpgv

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -27,70 +28,64 @@ profile apt-methods-gpgv @{exec_path} {
   @{exec_path} mr,
 
   # The following get "no new privs" so "rix" them
-  /{usr/,}bin/apt-key           rix,
   /{usr/,}bin/apt-config        rix,
+  /{usr/,}bin/apt-key           rix,
   /{usr/,}bin/dpkg              rix,
+  /{usr/,}bin/find              rix,
   /{usr/,}bin/gpg-connect-agent rix,
   /{usr/,}bin/gpgconf           rix,
-  /{usr/,}bin/find              rix,
   /{usr/,}bin/gpgv              rix,
 
-  /{usr/,}bin/head      rix,
+  /{usr/,}bin/{m,g,}awk rix,
+  /{usr/,}bin/base64    rix,
   /{usr/,}bin/cat       rix,
   /{usr/,}bin/chmod     rix,
   /{usr/,}bin/cmp       rix,
   /{usr/,}bin/cp        rix,
+  /{usr/,}bin/head      rix,
   /{usr/,}bin/mktemp    rix,
   /{usr/,}bin/readlink  rix,
   /{usr/,}bin/rm        rix,
   /{usr/,}bin/sed       rix,
   /{usr/,}bin/sort      rix,
   /{usr/,}bin/touch     rix,
-  /{usr/,}bin/{m,g,}awk rix,
-  /{usr/,}bin/base64    rix,
+
+  /usr/share/dpkg/cputable r,
+  /usr/share/dpkg/tupletable r,
+  /usr/share/keyrings/ r,
+  /usr/share/keyrings/*.{gpg,asc} r,
+
+  /etc/apt/apt.conf r,
+  /etc/apt/apt.conf.d/{,*} r,
+  /etc/apt/keyrings/ r,
+  /etc/apt/keyrings/*.{gpg,asc} r,
+  /etc/apt/trusted.gpg r,
+  /etc/apt/trusted.gpg.d/{,*.gpg} r,
+  /etc/dpkg/dpkg.cfg r,
+  /etc/dpkg/dpkg.cfg.d/{,*} r,
 
   # For shell pwd
   / r,
   /etc/ r,
   /root/ r,
 
-  /etc/dpkg/dpkg.cfg.d/{,*} r,
-  /etc/dpkg/dpkg.cfg r,
+        /var/lib/apt/lists/{,**} r,
+        /var/lib/dpkg/arch r,
+        /var/lib/extrepo/keys/*.{gpg,asc} r,
+        /var/lib/ubuntu-advantage/apt-esm/{,**} r,
+  owner /var/lib/apt/lists/* rw,
+  owner /var/lib/apt/lists/partial/* rw,
 
-  /etc/apt/apt.conf.d/{,*} r,
-  /etc/apt/apt.conf r,
-
-  /etc/apt/trusted.gpg.d/{,*.gpg} r,
-  /etc/apt/trusted.gpg r,
+  # For package building
+  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
 
         /tmp/ r,
   owner /tmp/apt-key-gpghome.*/ rw,
   owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
   owner /tmp/apt.{conf,sig,data}.* rw,
 
-        /var/lib/apt/lists/{,**} r,
-  owner /var/lib/apt/lists/* rw,
-  owner /var/lib/apt/lists/partial/* rw,
-
-  /usr/share/dpkg/cputable r,
-  /usr/share/dpkg/tupletable r,
-
-  /var/lib/dpkg/arch r,
-
   @{PROC}/@{pid}/fd/ r,
 
-  # Local keyring storage
-  /etc/apt/keyrings/ r,
-  /etc/apt/keyrings/*.{gpg,asc} r,
-  /usr/share/keyrings/ r,
-  /usr/share/keyrings/*.{gpg,asc} r,
-
-  # Extrepo keyring storage
-  /var/lib/extrepo/keys/*.{gpg,asc} r,
-
-  # For package building
-  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
-
   # file_inherit
   owner /dev/tty[0-9]* rw,
   /var/log/cron-apt/temp w,

apparmor.d/groups/apt/apt-methods-http

@@ -17,19 +17,20 @@ profile apt-methods-http @{exec_path} {
   capability setgid,
   capability setuid,
 
-  signal (receive) peer=apt-get,
-  signal (receive) peer=apt,
-  signal (receive) peer=aptitude,
-  signal (receive) peer=synaptic,
-  signal (receive) peer=unattended-upgrade,
-  signal (receive) peer=update-manager,
-
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
   network netlink raw,
 
+  signal (receive) peer=apt-get,
+  signal (receive) peer=apt,
+  signal (receive) peer=aptitude,
+  signal (receive) peer=synaptic,
+  signal (receive) peer=ubuntu-advantage,
+  signal (receive) peer=unattended-upgrade,
+  signal (receive) peer=update-manager,
+
   @{exec_path} mr,
 
   # apt-helper gets "no new privs" so "rix" it
@@ -47,17 +48,20 @@ profile apt-methods-http @{exec_path} {
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
 
+  /var/cache/apt/ r,
+  /var/cache/apt/** rwk,
+
+  /var/log/cron-apt/temp w,
+
         /var/lib/apt/lists/{,**} r,
   owner /var/lib/apt/lists/* rw,
   owner /var/lib/apt/lists/partial/* rw,
 
-  /var/cache/apt/ r,
-  /var/cache/apt/** rwk,
+  # For package building
+  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
 
-  # For the aptitude interactive mode
         /tmp/ r,
   owner /tmp/aptitude-root.*/aptitude-download-* rw,
-
   owner /tmp/apt-changelog-*/*.changelog rw,
 
   @{run}/resolvconf/resolv.conf r,
@@ -65,12 +69,7 @@ profile apt-methods-http @{exec_path} {
   @{PROC}/1/cgroup r,
   @{PROC}/@{pid}/cgroup r,
 
-  # For package building
-  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
-
-  # file_inherit
   owner /dev/tty[0-9]* rw,
-  /var/log/cron-apt/temp w,
 
   include if exists <local/apt-methods-http>
 }

apparmor.d/groups/apt/dpkg-genbuildinfo

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -17,18 +18,10 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
   @{exec_path} r,
   /{usr/,}bin/perl r,
 
-  /etc/dpkg/origins/debian r,
-
-  # For package building
-  owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
-
-  /var/lib/dpkg/status r,
-
+  /usr/share/lto-disabled-list/lto-disabled-list r,
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
 
-  owner @{user_config_dirs}/dpkg/buildflags.conf r,
-
   /usr/local/bin/ r,
   /usr/local/sbin/ r,
   /usr/local/lib/ r,
@@ -36,5 +29,14 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
   /usr/local/include/ r,
   /usr/local/etc/ r,
 
+  /etc/dpkg/origins/* r,
+
+  /var/lib/dpkg/status r,
+
+  owner @{user_config_dirs}/dpkg/buildflags.conf r,
+
+  # For package building
+  owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
+
   include if exists <local/dpkg-genbuildinfo>
 }

apparmor.d/groups/bus/dbus-daemon

@@ -66,8 +66,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   @{system_share_dirs}/dbus-1/services/{,**} r,
 
   # Extra rules for Snap
-  /var/lib/snapd/dbus-1/services/ r,
-  /var/lib/snapd/dbus-1/system-services/ r,
+  /var/lib/snapd/dbus-1/services/{,**} r,
+  /var/lib/snapd/dbus-1/system-services/{,**} r,
 
   owner @{user_share_dirs}/dbus-1/{,**} r,
         @{user_share_dirs}/icc/{,edid-*} r,

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
        peer=(name=org.freedesktop.DBus), # all peer's labels
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.portal.Settings
+       interface=org.freedesktop.{DBus.Properties,portal.Settings}
        member={ReadAll,GetAll}
        peer=(name=:*, label=snap.snapd-desktop-integration.snapd-desktop-integration),
 

apparmor.d/groups/ssh/sftp-server

@@ -18,5 +18,9 @@ profile sftp-server @{exec_path} {
 
   @{exec_path} mr,
 
+  # For scp
+  owner @{user_download_dirs}/{,**} rwl,
+  owner @{user_sync_dirs}/{,**} rwl,
+
   include if exists <local/sftp-server>
 }

apparmor.d/groups/ssh/ssh

@@ -22,7 +22,10 @@ profile ssh @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
+
+  /{usr/,}bin/{,b,d,rb}ash  rix,
+  /{usr/,}bin/{c,k,tc,z}sh  rix,
 
   owner @{PROC}/@{pid}/fd/ r,
 

apparmor.d/groups/ssh/ssh-agent-launch

@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/openssh/agent-launch
+profile ssh-agent-launch @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,z,ba,da}sh  rix,
+
+  include if exists <local/ssh-agent-launch>
+}

apparmor.d/groups/ssh/ssh-keygen

@@ -22,5 +22,8 @@ profile ssh-keygen @{exec_path} {
   owner @{HOME}/@{XDG_SSH_DIR}/ w,
   owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,
 
+  /dev/tty[0-9]* rw,
+  /dev/ttyS[0-9]* rw,
+
   include if exists <local/ssh-keygen>
 }

apparmor.d/groups/ssh/sshd

@@ -66,23 +66,27 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/passwd               rPx,
   /{usr/,}lib/openssh/sftp-server  rPx,
 
+  /etc/legal r,
   /etc/shells r,
   /etc/default/locale r,
   @{etc_ro}/environment r,
   /etc/gss/mech.d/{,*} r,
   /etc/issue.net r,
-  /etc/motd r,
+  @{etc_rw}/motd r,
   @{etc_ro}/security/limits.d/{,*.conf} r,
 
   @{etc_ro}/ssh/sshd_config r,
   @{etc_ro}/ssh/sshd_config.d/{,*} r,
   /etc/ssh/ssh_host_* r,
 
+  /var/lib/extrausers/shadow r,
+
   # For scp
   owner @{user_download_dirs}/{,**} rwl,
   owner @{user_sync_dirs}/{,**} rwl,
 
   owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
+  owner @{user_cache_dirs}/{,motd*} rw,
 
         @{run}/faillock/[a-zA-z0-9]* rwk,
         @{run}/motd.d/{,*} r,
@@ -108,6 +112,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/uid_map r,
 
   /dev/ptmx rw,
+  /dev/tty[0-9]* rw,
+  /dev/ttyS[0-9]* rw,
 
   include if exists <local/sshd>
 }

apparmor.d/groups/systemd/hostnamectl

@@ -9,6 +9,15 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/hostnamectl
 profile hostnamectl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+
+  capability net_admin,
+
+  dbus send bus=system path=/org/freedesktop/
+       interface=org.freedesktop.hostname1
+       member=Set*Hostname
+       peer=(name=org.freedesktop.hostname1),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-environment-d-generator

@@ -22,6 +22,8 @@ profile systemd-environment-d-generator @{exec_path} {
   @{etc_ro}/environment r,
   @{etc_ro}/environment.d/{,**} r,
 
+  /snap/snapd/[0-9]*/usr/lib/environment.d/{,*.conf} r,
+
   owner @{user_config_dirs}/environment.d/{,*.conf} r,
 
   /dev/tty rw,

apparmor.d/groups/systemd/systemd-hostnamed

@@ -25,19 +25,24 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
        member=CheckAuthorization
        peer=(name=org.freedesktop.PolicyKit1),
 
-  dbus receive bus=system path=/org/freedesktop/hostname[0-9]
+  dbus receive bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.{DBus.Properties,hostname1}
        member={Get,GetAll,SetHostname}
        peer=(name=:*),
 
+  dbus receive bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=Set*Hostname
+       peer=(name=:*, label=hostnamectl),
+
   dbus bind bus=system
        name=org.freedesktop.hostname[0-9],
 
   @{exec_path} mr,
 
-  /etc/.#hostname* rw,
+  @{etc_rw}/.#hostname* rw,
+  @{etc_rw}/hostname rw,
   /etc/.#machine-info?????? rw,
-  /etc/hostname rw,
   /etc/machine-info rw,
 
   @{run}/systemd/default-hostname rw,

apparmor.d/groups/ubuntu/apt-esm-json-hook

@@ -9,13 +9,20 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook
 profile apt-esm-json-hook @{exec_path} {
   include <abstractions/base>
+  include <abstractions/apt-common>
   include <abstractions/consoles>
 
   unix (receive, send) type=stream peer=(label=apt),
 
   @{exec_path} mr,
 
+  /{usr/,}bin/dpkg         rPx,
+
+  /var/lib/ubuntu-advantage/{,**} r,
+
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
+  owner @{PROC}/@{pid}/fd/ r,
+
   include if exists <local/apt-esm-json-hook>
 }

apparmor.d/groups/ubuntu/notify-reboot-required

@@ -15,6 +15,7 @@ profile notify-reboot-required @{exec_path} {
 
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/gettext     rix,
+  /{usr/,}bin/snap        rPx,
 
   /usr/share/update-notifier/notify-reboot-required r,
 

apparmor.d/groups/ubuntu/subiquity-console-conf

@@ -0,0 +1,117 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/subiquity/console-conf-wrapper
+profile subiquity-console-conf @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/openssl>
+
+  capability chown,
+  capability fsetid,
+
+  network inet  stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,da,ba}sh  rix,
+  /{usr/,}bin/cat         rix,
+  /{usr/,}bin/grep        rix,
+  /{usr/,}bin/mkdir       rix,
+  /{usr/,}bin/mv          rix,
+  /{usr/,}bin/sleep       rix,
+  /{usr/,}bin/stty        rix,
+  /{usr/,}bin/tr          rix,
+  /{usr/,}bin/tty         rix,
+
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/snap  rPx, # TODO: rCx,
+  /{usr/,}{,s}bin/sshd                   rPx, 
+  /{usr/,}bin/journalctl                 rCx -> journalctl,
+  /{usr/,}bin/ssh-keygen                 rPx, 
+  /usr/lib/snapd/snap-recovery-chooser  rPUx,
+  /usr/share/netplan/netplan.script     rPUx, # TODO: rPx,
+
+  /usr/share/subiquity/{,**} r,
+  /usr/share/subiquity/console-conf-tui rix,
+  /usr/share/subiquity/console-conf-write-login-details rix,
+
+  /var/lib/extrausers/shadow r,
+
+  /var/lib/console-conf/{,**} rw,
+  /var/log/console-conf/{,**} rw,
+
+  @{run}/console-conf/{,**} rw,
+  @{run}/snapd-recovery-chooser-triggered r,
+  @{run}/snapd.socket rw,
+
+  @{run}/udev/data/+acpi:* r,
+  @{run}/udev/data/+dmi* r,
+  @{run}/udev/data/+drm* r,
+  @{run}/udev/data/+input* r,         # For mouse, keyboard, touchpad
+  @{run}/udev/data/+leds:* r,
+  @{run}/udev/data/+pci* r,
+  @{run}/udev/data/+platform* r,
+  @{run}/udev/data/+sound:card* r,    # For sound
+
+  @{run}/udev/data/c1:[0-9]* r,       # For RAM disk
+  @{run}/udev/data/c4:[0-9]* r,       # For TTY devices
+  @{run}/udev/data/c5:[0-9]* r,       # For /dev/tty, /dev/console, /dev/ptmx
+  @{run}/udev/data/c7:[0-9]* r,       # For Virtual console capture devices
+  @{run}/udev/data/c10:[0-9]* r,      # For non-serial mice, misc features
+  @{run}/udev/data/c13:[0-9]* r,      # For /dev/input/*
+  @{run}/udev/data/c29:[0-9]* r,      # For /dev/fb[0-9]*
+  @{run}/udev/data/c89:[0-9]* r,      # For I2C bus interface
+  @{run}/udev/data/c108:[0-9]* r,     # For /dev/ppp
+  @{run}/udev/data/c116:[0-9]* r,     # For ALSA
+  @{run}/udev/data/c226:[0-9]* r,     # For /dev/dri/card*
+  @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:[0-9]* r,
+  @{run}/udev/data/c25[0-4]:[0-9]* r,
+  @{run}/udev/data/n[0-9]* r,
+
+  @{sys}/**/devices/ r,
+  @{sys}/*/*/ r,
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/pci[0-9]*/**/net/*/{,**} r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r,
+  @{sys}/devices/virtual/net/{,**} r,
+
+        @{PROC}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+  /dev/tty rw,
+  /dev/tty[0-9]* rw,
+  /dev/ttyS[0-9]* rw,
+
+  profile journalctl {
+    include <abstractions/base>
+
+    /{usr/,}bin/journalctl mr,
+
+    @{run}/log/ rw,
+    /{run,var}/log/journal/ rw,
+    /{run,var}/log/journal/@{hex}/ rw,
+    /{run,var}/log/journal/@{hex}/system.journal* rw,
+    /{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
+    /{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
+
+    owner @{PROC}/@{pid}/stat r,
+
+    /var/lib/dbus/machine-id r,
+    /etc/machine-id r,
+
+  }
+
+  include if exists <local/subiquity-console-conf>
+}

apparmor.d/profiles-a-f/agetty

@@ -23,14 +23,17 @@ profile agetty @{exec_path} {
 
   /{usr/,}bin/login rPx,
 
+  /usr/share/subiquity/console-conf-wrapper rPx, # only:core22
+
+  @{etc_rw}/issue r,
+  /{,usr/}lib/os-release r,
   /{etc,run,lib,usr/lib}/issue r,
   /{etc,run,lib,usr/lib}/issue.d/{,*} r,
-  /{,usr/}lib/os-release  r,
   /etc/inittab r,
   /etc/os-release r,
 
-  owner @{run}/agetty.reload rw,
         @{run}/resolvconf/resolv.conf r,
+  owner @{run}/agetty.reload rw,
 
         /dev/tty[0-9]*   rw,
   owner /dev/ttyGS[0-9]* rw,

apparmor.d/profiles-a-f/apparmor_parser

@@ -24,10 +24,11 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
   /usr/share/apparmor/{,**} r,
 
   owner /snap/core[0-9]*/[0-9]*/etc/apparmor.d/{,**} r,
+  owner /snap/core[0-9]*/[0-9]*/etc/apparmor/* r,
   owner /var/cache/apparmor/{,**} rw,
   owner /var/lib/docker/tmp/docker-default[0-9]* r,
   owner /var/lib/snapd/apparmor/{,**} r,
-  owner /var/snap/lxd/common/lxd/security/apparmor/{,**} r,
+  owner /var/snap/lxd/common/lxd/security/apparmor/{,**} rw,
 
   owner /tmp/cri-containerd.apparmor.d[0-9]* r,
 

apparmor.d/profiles-s-z/snap

@@ -12,10 +12,20 @@ profile snap @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
+  include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
 
+  capability sys_admin,
+
   unix (send, receive) type=stream peer=(label=apt),
 
+  mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-[0-9]*/,
+
+  dbus (send, receive) bus=session path=/org/freedesktop/
+         interface=org.freedesktop.systemd1.Manager
+         member={StartTransientUnit,JobRemoved}
+         peer=(name=:*, label=unconfined),
+
   dbus send bus=session path=/org/freedesktop/portal/documents
        interface=org.freedesktop.portal.Documents
        member=GetMountPoint
@@ -23,6 +33,8 @@ profile snap @{exec_path} {
 
   @{exec_path} mrix,
 
+  /{usr/,}bin/mount rix,
+
   /{usr/,}bin/systemctl        rPx -> child-systemctl,
 
   /snap/{,**} rw,
@@ -34,21 +46,25 @@ profile snap @{exec_path} {
 
   /var/lib/snapd/{,**} rwk,
   /var/cache/snapd/commands.db rwk,
+  /var/cache/snapd/names r,
 
-  owner @{HOME}/snap/{,**} rw,
+  @{HOME}/snap/{,**} rw,
+
+  owner /tmp/snapd-auto-import-mount-[0-9]*/ rw,
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
 
+  @{run}/mount/utab r,
   @{run}/snapd.socket rw,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/features/ r,
 
-  owner @{PROC}/@{pids}/mountinfo r,
   @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/mountinfo r,
   @{PROC}/cgroups r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/random/boot_id r,
@@ -56,6 +72,9 @@ profile snap @{exec_path} {
   @{PROC}/sys/kernel/seccomp/actions_avail r,
   @{PROC}/version r,
 
+  /dev/tty[0-9]* rw,
+  /dev/ttyS[0-9]* rw,
+
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/snap>

apparmor.d/profiles-s-z/snap-device-helper

@@ -11,6 +11,7 @@ profile snap-device-helper @{exec_path} {
   include <abstractions/base>
 
   capability bpf,
+  capability dac_read_search,
   capability setgid,
   capability sys_resource,
 

apparmor.d/profiles-s-z/snap-discard-ns

@@ -11,6 +11,11 @@ profile snap-discard-ns @{exec_path} {
   include <abstractions/base>
 
   capability setgid,
+  capability sys_admin,
+
+  network netlink raw,
+
+  umount @{run}/snapd/ns/*.mnt,
 
   @{exec_path} mr,
 

apparmor.d/profiles-s-z/snap-update-ns

@@ -14,10 +14,14 @@ profile snap-update-ns @{exec_path} {
   capability sys_admin,
   capability sys_chroot,
 
+  network netlink raw,
+
   mount -> /snap/**/,
   mount -> /usr/**/,
+  mount -> /var/lib/dhcp/,
   mount /snap/**/ -> /tmp/.snap/**,
   umount /snap/**/,
+  umount /var/lib/dhcp/,
 
   @{exec_path} mr,
 

apparmor.d/profiles-s-z/snapd

@@ -38,7 +38,7 @@ profile snapd @{exec_path} {
 
   mount fstype=squashfs /dev/loop[0-9]* -> /tmp/syscheck-mountpoint-[0-9]*/,
   umount /tmp/syscheck-mountpoint-[0-9]*/,
-  umount /snap/*/[0-9]*/,
+  umount /snap/*/*/,
 
   ptrace (read) peer=snap,
   ptrace (read) peer=unconfined,
@@ -55,6 +55,13 @@ profile snapd @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}{s,}bin/adduser              rPX,
+  /{usr/,}{s,}bin/groupadd             rPX,
+  /{usr/,}{s,}bin/useradd              rPX,
+  /{usr/,}bin/cloud-init              rPUx, # TODO: rPx ? limited to ubtuntu core, otherwise out of scope
+  /{usr/,}bin/hostnamectl              rPx,
+  /{usr/,}bin/ssh-keygen               rPx,
+
   /{usr/,}{s,}bin/apparmor_parser      rPx,
   /{usr/,}{s,}bin/runuser              rCx -> runuser,
   /{usr/,}bin/{,ba,da}sh               rix,
@@ -82,13 +89,14 @@ profile snapd @{exec_path} {
   /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns   rPx,
   /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd            rix,
 
-  /usr/share/bash-completion/completions/{,**} r,
+  /usr/share/bash-completion/{,**} r,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
   /usr/share/dbus-1/services/*snap* r,
   /usr/share/polkit-1/actions/{,**/} r,
 
   /etc/apparmor.d/*snapd.snap* r,
   /etc/dbus-1/system.d/{,**/} r,
+  /etc/environment r,
   /etc/fstab r,
   /etc/mime.types r,
   /etc/modprobe.d/{,**/} r,
@@ -113,19 +121,26 @@ profile snapd @{exec_path} {
   /tmp/syscheck-squashfs-[0-9]* rw,
   /tmp/read-file[0-9]*/{,**} rw,
 
+
+  /boot/ r,
+  /boot/grub/grubenv r, 
+
   / r,
   /home/ r,
   @{HOME}/ r,
   @{HOME}/snap/{,**} rw,
+  @{HOME}/.snap*/{,**} rw,
 
   owner @{run}/mount/ rw,
   owner @{run}/mount/utab{,.*} rw,
   owner @{run}/mount/utab.lock wk,
 
+  @{run}/user/ r,
   @{run}/user/@{uid}/ r,
   @{run}/user/@{uid}/snapd-session-agent.socket rw,
   @{run}/user/snap.*/{,**} rw,
 
+  @{run}/mnt/ubuntu-seed/EFI/ubuntu/grubenv r,  # only:core
   @{run}/snapd*.socket rw,
   @{run}/snapd/{,**} rw,
   @{run}/snapd/lock/*.lock rwk,
@@ -140,6 +155,7 @@ profile snapd @{exec_path} {
   @{sys}/kernel/security/apparmor/features/ r,
   @{sys}/kernel/security/apparmor/profiles r,
 
+  @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
 
         @{PROC}/@{pids}/cgroup r,

apparmor.d/profiles-s-z/sudo

@@ -44,11 +44,15 @@ profile sudo @{exec_path} {
        member=CreateSession
        peer=(name=org.freedesktop.login[0-9]),
 
+  dbus (send receive) bus=session path=/org/freedesktop/systemd1
+         interface=org.freedesktop.systemd.Manager
+         member={JobRemoved,StartTransientUnit},
+
   @{exec_path} mr,
 
-  /run/ r,
-
   @{libexec}/sudo/** mr,
+
+  /snap/snapd/[0-9]*/usr/bin/snap        rPx,
   /{usr/,}bin/{,b,d,rb}ash               rUx,
   /{usr/,}bin/{c,k,tc,z}sh               rUx,
   /{usr/,}lib/cockpit/cockpit-askpass    rPx,
@@ -63,6 +67,7 @@ profile sudo @{exec_path} {
   /etc/sudoers.d/{,*} r,
 
         /var/db/sudo/lectured/ r,
+        /var/lib/extrausers/shadow r,
         /var/lib/sudo/lectured/ r,
         /var/lib/sudo/ts/ rw,
         /var/lib/sudo/ts/* rwk,
@@ -72,6 +77,7 @@ profile sudo @{exec_path} {
   owner @{HOME}/.sudo_as_admin_successful rw,
   owner @{HOME}/.xsession-errors w,
 
+        @{run}/ r,
         @{run}/faillock/{,*} rwk,
         @{run}/resolvconf/resolv.conf r,
   owner @{run}/sudo/ rw,

apparmor.d/tunables/extend

@@ -28,4 +28,7 @@
 @{libexec}=/{usr/,}lib      # Archlinux
 @{libexec}=/{usr/,}libexec  # Debian/Ubuntu
 
+# Integration with Ubuntu Core
+@{etc_rw}+=/etc/writable/
+
 include if exists  <tunables/extend.d>