update apparmor profiles

parent 413efce0
......@@ -32,5 +32,8 @@ profile apt-cache @{exec_path} flags=(complain) {
owner /tmp/clearsigned.message.* rw,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/apt-cache>
}
......@@ -44,20 +44,35 @@ profile check-support-status @{exec_path} flags=(complain) {
/{usr/,}bin/gettext rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/envsubst rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/dpkg-query rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/debconf-escape rCx -> debconf-escape,
/tmp/ r,
owner /tmp/debian-security-support.*/{,**} rw,
/tmp/debian-security-support.postinst.*/output w,
/var/lib/debian-security-support/security-support.semaphore r,
owner /var/lib/debian-security-support/security-support.semaphore rw,
owner /var/lib/debian-security-support/tmp.* rw,
/usr/share/debian-security-support/* r,
# file_inherit
/dev/pts/[0-9]* rw,
profile debconf-escape flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
/{usr/,}bin/debconf-escape r,
/{usr/,}bin/perl r,
owner /tmp/debian-security-support.postinst.*/output r,
}
#include if exists <local/check-support-status>
}
......@@ -30,6 +30,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/{usr/,}sbin/runuser rPUx,
/{usr/,}sbin/adduser rPx,
/{usr/,}bin/check-support-status rPx,
/{usr/,}bin/debconf-escape rCx -> debconf-escape,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
......@@ -44,6 +45,17 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/dev/pts/[0-9]* rw,
profile debconf-escape flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
/{usr/,}bin/debconf-escape r,
/{usr/,}bin/perl r,
owner /tmp/debian-security-support.postinst.*/output r,
}
profile frontend flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
......
......@@ -35,6 +35,7 @@ profile child-dpkg {
# file_inherit
/tmp/#[0-9]*[0-9] rw,
/dev/pts/[0-9]* rw,
#include if exists <local/child-dpkg>
}
......@@ -58,6 +58,7 @@ profile child-lsb_release {
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# deny /tmp/gtalkplugin.log w,
/dev/pts/[0-9]* rw,
#include if exists <local/child-lsb_release>
}
......@@ -84,5 +84,8 @@ profile dkms @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/dkms>
}
......@@ -57,5 +57,8 @@ profile dpkg-deb @{exec_path} flags=(complain) {
/var/cache/apt/archives/*.deb r,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/dpkg-deb>
}
......@@ -27,5 +27,8 @@ profile dpkg-split @{exec_path} flags=(complain) {
/var/cache/apt/archives/*.deb r,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/dpkg-split>
}
......@@ -22,6 +22,7 @@ profile hostname @{exec_path} {
@{exec_path} mr,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/hostname>
}
......@@ -16,6 +16,7 @@ profile ifup @{exec_path} flags=(complain) {
#include <abstractions/base>
capability net_admin,
capability sys_module,
@{exec_path} mr,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
......@@ -44,6 +44,9 @@ profile run-parts @{exec_path} {
owner /tmp/#[0-9]*[0-9] rw,
# file_inherit
/dev/pts/[0-9]* rw,
profile motd {
#include <abstractions/base>
......
......@@ -23,7 +23,7 @@ profile scrot @{exec_path} {
/{usr/,}bin/mv rix,
# The image dir
owner @{HOME}/*.png w,
owner @{HOME}/*.png rw,
owner @{HOME}/.Xauthority r,
......
......@@ -43,6 +43,8 @@ profile sudo @{exec_path} {
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pids}/stat r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/{,*} r,
......
......@@ -35,6 +35,8 @@ profile synaptic @{exec_path} flags=(complain) {
capability dac_override,
capability kill,
capability fsetid,
# Needed?
deny capability sys_nice,
signal (send) peer=apt-methods-*,
......@@ -121,6 +123,9 @@ profile synaptic @{exec_path} flags=(complain) {
# Synaptic is a GUI app started by root, so without "owner"
@{HOME}/.Xauthority r,
# file_inherit
/dev/pts/[0-9]* rw,
profile dbus flags=(complain) {
#include <abstractions/base>
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-analyze
profile systemd-analyze @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/systemd-common>
capability sys_resource,
capability sys_admin,
capability net_admin,
capability dac_override,
capability dac_read_search,
ptrace (read),
signal (send) peer=systemd-analyze//pager,
@{exec_path} mr,
/{usr/,}bin/less rCx -> pager,
/{usr/,}bin/more rCx -> pager,
/{usr/,}bin/man rPx,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/comm r,
@{PROC}/swaps r,
# For systemd-analyze cat-config
/etc/systemd/** r,
/{usr/,}lib/systemd/** r,
@{sys}/fs/cgroup/{systemd,unified}/** r,
@{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw,
@{sys}/firmware/acpi/tables/FPDT r,
@{sys}/module/**/uevent r,
@{sys}/devices/**/uevent r,
/{var/,}run/udev/data/* r,
/{var/,}run/udev/tags/systemd/ r,
/{var/,}run/systemd/system/ r,
/{var/,}run/systemd/userdb/io.systemd.DynamicUser w,
owner /tmp/systemd-temporary-*/ rw,
/usr/ r,
/etc/default/locale r,
profile pager flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
signal (receive) peer=systemd-analyze,
/{usr/,}bin/less mr,
owner @{HOME}/.lesshst r,
}
#include if exists <local/systemd-analyze>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-fsck
profile systemd-fsck @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/disks-read>
#include <abstractions/systemd-common>
capability net_admin,
capability sys_resource,
@{exec_path} mr,
/{usr/,}sbin/fsck rPx,
/{usr/,}sbin/e2fsck rPx,
#include if exists <local/systemd-fsck>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-fsckd
profile systemd-fsckd @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/systemd-common>
capability net_admin,
capability sys_tty_config,
@{exec_path} mr,
/{var/,}run/systemd/fsck.progress w,
#include if exists <local/systemd-fsckd>
}
......@@ -46,5 +46,8 @@ profile update-initramfs @{exec_path} {
owner /boot/initrd.img-* rw,
owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/update-initramfs>
}
......@@ -33,5 +33,12 @@ profile wget @{exec_path} {
/usr/share/publicsuffix/public_suffix_list.* r,
# For apt
owner /var/cache/google-android-build-tools-*-installer/build-tools_*-linux.zip w,
owner /var/cache/google-android-platform-*-installer/platform-*.zip w,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/wget>
}
......@@ -28,11 +28,12 @@ profile xkbcomp @{exec_path} {
owner /tmp/server-[0-9].xkm w,
# file_inherit
deny /dev/tty[0-9]* rw,
owner /dev/tty[0-9]* rw,
deny /var/log/Xorg.[0-9]*.log w,
deny /dev/input/event[0-9]* rw,
owner @{HOME}/.local/share/xorg/Xorg.[0-9].log w,
owner /var/log/lightdm/x-[0-9]*.log w,
/dev/dri/card[0-9]* rw,
#include if exists <local/xkbcomp>
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment