From f0a2cb3897e1c81c4ccf5854f4b7ba3a58c688d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 11 Nov 2023 22:02:47 +0000 Subject: [PATCH] feat(profiles): general update. --- apparmor.d/abstractions/chromium | 1 + .../groups/gnome/gnome-extension-manager | 3 ++- apparmor.d/groups/systemd/systemd-binfmt | 11 +++------ apparmor.d/profiles-a-f/auditctl | 2 +- apparmor.d/profiles-a-f/augenrules | 23 ++++++++++--------- apparmor.d/profiles-a-f/fprintd | 1 + apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-g-l/irqbalance | 4 ++++ apparmor.d/profiles-s-z/sudo | 1 + 9 files changed, 26 insertions(+), 21 deletions(-) diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium index ad304ba2..083bb16c 100644 --- a/apparmor.d/abstractions/chromium +++ b/apparmor.d/abstractions/chromium @@ -56,6 +56,7 @@ network netlink raw, @{lib_dirs}/{,**} r, + @{lib_dirs}/*.so* mr, @{lib_dirs}/chrome_crashpad_handler rPx, @{lib_dirs}/chrome-sandbox rPx, diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager index f27cdf5b..102a8e37 100644 --- a/apparmor.d/groups/gnome/gnome-extension-manager +++ b/apparmor.d/groups/gnome/gnome-extension-manager @@ -39,7 +39,8 @@ profile gnome-extension-manager @{exec_path} { /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + owner @{PROC}/@{pid}/cmdline r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 405fdd9a..5d05be6c 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/systemd/systemd-binfmt profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { include + include capability net_admin, - ptrace (read) peer=unconfined, - @{exec_path} mr, @{bin}/* r, @@ -23,12 +22,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{run}/binfmt.d/{,*.conf} r, /usr/lib/binfmt.d/{,*.conf} r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/fs/binfmt_misc/register w, - @{PROC}/sys/fs/binfmt_misc/status w, - @{PROC}/sys/kernel/osrelease r, - owner @{PROC}/@{pid}/stat r, + @{PROC}/sys/fs/binfmt_misc/register w, + @{PROC}/sys/fs/binfmt_misc/status w, /dev/tty@{int} rw, /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index be160547..4a551c43 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/auditctl -profile auditctl @{exec_path} { +profile auditctl @{exec_path} flags=(attach_disconnected) { include capability audit_control, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 198e32c5..4a42a78b 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -7,22 +7,23 @@ abi , include @{exec_path} = @{bin}/augenrules -profile augenrules @{exec_path} { +profile augenrules @{exec_path} flags=(attach_disconnected) { include include @{exec_path} mr, - @{bin}/auditctl rPx, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cmp rix, - @{bin}/cp rix, - @{bin}/{,g,m}awk rix, - @{bin}/{,e,f}grep rix, - @{bin}/ls rix, - @{bin}/mktemp rix, - @{bin}/rm rix, + @{bin}/{,ba,da}sh rix, + @{bin}/{,e,f}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/auditctl rPx, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/ls rix, + @{bin}/mktemp rix, + @{bin}/rm rix, /etc/audit/audit.rules rw, /etc/audit/rules.d/{,*} r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index a7c999c4..1ff55cb7 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -13,6 +13,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, capability sys_nice, network netlink raw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a51ef8c9..fcb9bc5a 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -21,6 +21,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) { capability dac_read_search, capability linux_immutable, capability mknod, + capability net_admin, capability sys_admin, capability sys_nice, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 17da1fc0..37b88831 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -16,6 +16,10 @@ profile irqbalance @{exec_path} { @{exec_path} mr, + /etc/default/irqbalance r, + + / r, + @{run}/irqbalance/irqbalance[0-9]*.sock w, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index c34c8de7..dd9d7f60 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -73,6 +73,7 @@ profile sudo @{exec_path} { /var/lib/sudo/ts/ rw, /var/lib/sudo/ts/* rwk, /var/log/sudo.log wk, + owner /var/db/sudo/lectured/@{uid} rw, owner /var/lib/sudo/lectured/* rw, owner @{HOME}/.sudo_as_admin_successful rw,