diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b07fc8990..89b0039ac 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,8 +3,19 @@ name: Ubuntu on: [push, pull_request, workflow_dispatch] jobs: + check: + runs-on: ubuntu-24.04 + steps: + - name: Check out repository code + uses: actions/checkout@v4 + + - name: Run basic profile linter check + run: | + make check + build: runs-on: ${{ matrix.os }} + needs: check strategy: matrix: os: @@ -89,11 +100,36 @@ jobs: sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service + - name: Restart some services to ensure they are confined + run: | + services=( + containerd cron + dbus docker + ModemManager multipathd + networkd-dispatcher + packagekit polkit + snapd + systemd-journald systemd-hostnamed systemd-logind systemd-networkd + systemd-resolved systemd-udevd + udisks2 + ) + sudo systemctl daemon-reload + for service in "${services[@]}"; do + sudo systemctl restart "$service" || systemctl status "$service.service" || true + done + sudo ps auxZ | grep -v '\[.*\]' + sudo aa-log -s --raw + + - name: Install integration dependencies + run: | + bash tests/requirements.sh + - name: Run the bats integration tests run: | make bats - - name: Show final AppArmor logs + - name: Show final AppArmor logs and processes security context if: always() run: | sudo aa-log -s --raw + sudo ps auxZ | grep -v '\[.*\]' diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 0bae4e0d2..666387d0a 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -186,6 +186,7 @@ @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @@ -201,7 +202,6 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 385ded540..4c7de6ba5 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,10 +24,10 @@ network netlink raw, # PAM - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.logi1.Manager - member=CreateSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + unix bind type=stream addr=@@{udbus}/bus/sudo/system, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 7857f9921..8489bb275 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -10,7 +10,7 @@ ptrace read peer=@{p_systemd}, - unix bind type=stream addr=@@{hex16}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/, @{bin}/systemctl mr, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 33c422bb0..9a53d1548 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -7,6 +7,10 @@ abi , + @{att}/@{run}/systemd/journal/dev-log w, + @{att}/@{run}/systemd/journal/socket w, + + deny /apparmor/.null rw, deny @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 3e10a94f5..3b5ecaf41 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -33,6 +33,4 @@ @{PROC}/sys/kernel/core_pattern r, - deny /apparmor/.null rw, - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index ee0a16b99..eba12457f 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -7,12 +7,12 @@ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 811787bad..95325d7d3 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -11,12 +11,12 @@ dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0bfe96818..870443002 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -7,12 +7,12 @@ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{run}/dbus/system_bus_socket rw, diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 357c06473..bb31a079c 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -36,7 +36,7 @@ dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 8957c4cdd..7dcb187f1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -14,6 +14,11 @@ member={Get,GetAll} peer=(name=org.freedesktop.hostname1), + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 115aefd78..41b08a80b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -4,7 +4,7 @@ abi , - dbus send bus=system path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9e1737a2a..9f611cf3d 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{bin}/** Px, @{lib}/** Px, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 32228f21b..919c53457 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -32,8 +32,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { ptrace read peer=@{p_systemd}, - unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system, - unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 19f187cc3..369dd3bbd 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -34,7 +34,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (bind) type=stream addr=@@{hex16}/bus/apt/system, + unix bind type=stream addr=@@{udbus}/bus/apt-get/system, + unix bind type=stream addr=@@{udbus}/bus/apt/system, + unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), @@ -43,7 +45,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus/Bus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 6d3e9d408..3c2489a32 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -30,8 +30,9 @@ profile apt-methods-file @{exec_path} { @{lib}/apt/apt-helper rix, - /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt-mirrors.txt r, /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/mirrors/* r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 5acecd67a..d8e3adce3 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -28,6 +28,7 @@ profile apt-methods-mirror @{exec_path} { @{exec_path} mr, + /etc/apt/apt-mirrors.txt r, /etc/apt/mirrors/* r, # For shell pwd diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index e4f6b61ea..d0fdad4b7 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, - unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, + unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, @{exec_path} mr, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fd9707093..9838ba40b 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -20,7 +20,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=accessibility name=org.a11y.atspi - #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility + #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}" dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 6ef4e44ea..a569a7342 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -33,7 +33,10 @@ profile dbus-system flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - #aa:dbus own bus=system name=org.freedesktop.DBus + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} + dbus receive bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index ab3b2b2fd..f9f9870f8 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 1096594aa..39d5ecccb 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index 61aeaf881..1579115a7 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -18,7 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, - /var/crash/*.crash w, + /var/crash/* w, include if exists } diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 539a2a57d..42758585f 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ffdfe08a0..26a07d8aa 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index ec1633a9e..383360ad4 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -29,7 +29,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f6f4c12aa..e2b1b22d9 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 212898a84..fa1e44d00 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixProcessID - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 089e61744..5e3d3ee78 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -53,6 +53,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 1cb7c9583..931b47509 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -10,9 +10,10 @@ include @{exec_path} = @{bin}/upower profile upower @{exec_path} { include + include + include - # Needed? - audit capability sys_nice, + #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 8d8ae6662..57b17b655 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -47,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -63,8 +63,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, + / r, + @{att}/.flatpak-info r, + owner @{att}/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d4fa3dc1d..ff398f25e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -30,6 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 75ec9517c..3c60c1cf6 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -41,6 +41,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, + / r, owner @{att}/ r, owner @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 441692ded..08cfc840c 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -43,6 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index b0f5e81a5..6bafb132b 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 4ca2b21b6..59e6df788 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, - unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system, + unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f74afdeac..068469606 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 42c1265ae..babd12c3d 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} - peer=(name=org.freedesktop.DBus label=dbus-session), + peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a2dd6d908..7cc739491 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -17,7 +17,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -83,6 +82,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), # Session bus dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/ interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket @@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/*/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3c2ef3dac..d9b0e5e27 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 51bcf2e10..c7478292c 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index fb7bef34a..10853ea8f 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -30,6 +30,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { / r, + owner @{user_cache_dirs}/glycin/{,**} rw, + @{run}/mount/utab r, @{sys}/fs/cgroup/user.slice/cpu.max r, @@ -51,7 +53,9 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal (receive) set=(kill) peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-image-rs rix, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e4990a3e3..890e5b34e 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/dbus interface=org.freedesktop.DBus member=NameHasOwner - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 167e8757c..2fbdfb086 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/dirmngr profile dirmngr @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index a6eadd904..51ec8b134 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnupg/keyboxd profile keyboxd @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8ac535f16..b92ad8e68 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -25,9 +25,13 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+pnp:* r, + @{run}/udev/data/+serial*:* r, @{run}/udev/data/+usb:* r, + @{run}/udev/data/+vmbus:* r, @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @@ -43,9 +47,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/revision r, - @{sys}/devices/virtual/net/*/ r, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, include if exists diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e20ea48b3..de3a180bb 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -47,6 +47,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + peer=(name=org.freedesktop.nm_dispatcher), + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -70,7 +74,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -128,10 +132,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+rfkill:* r, @{run}/udev/data/n@{int} r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, + @{sys}/devices/**/@{uuid}/net/*/{,**} r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/net/{,**} r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 53297493e..989f2ee09 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -12,6 +12,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + @{exec_path} mr, @{lib}/netplan/generate rix, @@ -22,21 +24,34 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, - @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw, + @{run}/netplan/ r, + + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, + + @{run}/systemd/network/ r, + @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, @{run}/systemd/system/ r, @{run}/systemd/system/netplan-* rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, @{run}/systemd/system/systemd-networkd.service.wants/ rw, @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + @{run}/udev/rules.d/ r, - @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{sys}/devices/**/net/*/address r, profile udevadm { include include - @{run}/udev/control rw, + capability net_admin, + + @{att}/@{run}/udev/control rw, + @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, @@ -49,6 +64,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, + @{att}/@{run}/systemd/private rw, + include if exists } diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 27a511dc4..189afd74d 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -11,6 +11,7 @@ profile nm-online @{exec_path} { include include include + include dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index a964ab958..43a9d0dca 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -9,10 +9,14 @@ include @{exec_path} = @{bin}/nmcli profile nmcli @{exec_path} { include + include + include capability dac_read_search, capability sys_nice, + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 7e0422c5a..c9f0c6373 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 05a21d41f..14cbd3c87 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -22,6 +22,7 @@ profile ssh-keygen @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, /tmp/snapd@{int}/*_*{,.pub} w, + /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2f704fb37..b4ecc068e 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -53,7 +53,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/sshd/system, + unix (bind) type=stream addr=@@{udbus}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index dcb60493e..6516a500c 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -22,7 +22,7 @@ profile busctl @{exec_path} { ptrace (read), - unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl, + unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl, signal (send) set=(cont) peer=child-pager, @@ -33,7 +33,7 @@ profile busctl @{exec_path} { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl new file mode 100644 index 000000000..aaae97d64 --- /dev/null +++ b/apparmor.d/groups/systemd/homectl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/homectl +profile homectl @{exec_path} { + include + include + include + include + include + + capability net_admin, + capability sys_resource, + + signal send peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + + @{exec_path} mr, + + @{bin}/pkttyagent rpx, + + @{pager_path} rPx -> child-pager, + + /etc/machine-id r, + + owner @{PROC}/@{pids}/cgroup r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 65e6ed11f..2429d235e 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -10,10 +10,13 @@ include profile hostnamectl @{exec_path} { include include + include include capability net_admin, + unix bind type=stream addr=@@{hex16}/bus/hostnamectl/system, + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index dee55195d..a4bab2be3 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -24,7 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system, + unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd # No label available diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 09d432b2f..039f8dc64 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system, + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index e74280f67..33191171e 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/systemd-cgls profile systemd-cgls @{exec_path} { include + include + include + include capability sys_ptrace, @@ -16,6 +19,8 @@ profile systemd-cgls @{exec_path} { signal send set=cont peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 5fe748abd..205012cd2 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -35,6 +35,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> @{run}/, mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, + #aa:dbus own bus=system name=org.freedesktop.home1 @{exec_path} mr, @@ -61,6 +63,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/home/{,**} rw, @{run}/systemd/userdb/io.systemd.home r, @{run}/systemd/user-home-mount/{,**} rw, + @{run}/systemd/notify w, @{sys}/bus/ r, @{sys}/fs/ r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index a169a59d6..cd77b9826 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -18,14 +18,14 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { network unix stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system, #aa:dbus own bus=system name=org.freedesktop.hostname1 dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/machine-info rw, /etc/os-release r, + @{att}/@{run}/systemd/notify rw, + @{run}/systemd/default-hostname rw, - @{run}/systemd/notify rw, @{run}/udev/data/+dmi:* r, # for motherboard info @{sys}/devices/virtual/dmi/id/ r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 32f02f0d0..205d8a55f 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 @@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/X11/xorg.conf.d/.#*.confd* rw, /etc/X11/xorg.conf.d/*.conf rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 53dd0acf8..f7e0af838 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 @@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -94,10 +94,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/@{int}{,.ref} rw, - @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index abb437f83..d3527c22b 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -13,6 +13,7 @@ profile systemd-modules-load @{exec_path} { include capability net_admin, + capability perfmon, capability sys_module, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index f38564ae1..3eaedfaac 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -27,7 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, #aa:dbus own bus=system name=org.freedesktop.network1 diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index e5dce916c..d16c67f7d 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 @@ -24,9 +24,11 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, - @{run}/systemd/notify rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 4f9f965f5..f693cbee4 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -34,15 +34,16 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, + @{att}/@{run}/systemd/notify w, + @{run}/systemd/netif/links/* r, - @{run}/systemd/notify rw, @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e2b6caaa7..e070afe4e 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 @@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, /dev/rtc@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index de544c9d7..b603b2411 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 @@ -34,9 +34,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, + @{att}/@{run}/systemd/notify rw, + @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, - @{run}/systemd/notify rw, @{run}/systemd/timesyncd.conf.d/{,**} r, owner @{run}/systemd/timesync/synchronized rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index dae5ae67e..b8a0c7e4c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -21,6 +21,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability fsetid, capability mknod, capability net_admin, + capability perfmon, capability sys_admin, capability sys_module, capability sys_ptrace, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 8703709c4..9d512b495 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} { network netlink raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 84dfb27ee..9c7fe975b 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -25,7 +25,7 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-user-ru/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index ce698dc96..c57327bcb 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -30,6 +30,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/machine-id r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index cd0187119..11aad0da3 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -22,9 +22,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_ptrace, - ptrace (read) peer=gnome-shell, - ptrace (read) peer=snap.cups.cupsd, - ptrace (read) peer=tracker-extract, + ptrace read, @{exec_path} mr, @@ -36,6 +34,10 @@ profile apport @{exec_path} flags=(attach_disconnected) { /usr/share/apport/{,**} r, /etc/apport/report-ignore/{,**} r, + /etc/login.defs r, + + /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.list r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 36fae9ce3..4ffaf60e0 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -22,7 +22,7 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell @@ -87,7 +87,7 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 627515640..4f73ff985 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -83,6 +83,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/docker/containerd/{,**} rwk, @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, + @{run}/nri/ w, + @{run}/nri/nri.sock rw, @{run}/systemd/notify w, /tmp/cri-containerd.apparmor.d@{int} rwl, @@ -94,12 +96,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, /dev/bsg/ r, /dev/bus/ r, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index b2c181042..19c0f6902 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -45,6 +45,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit + deny /apparmor/.null rw, include if exists } diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 903e2cb62..27207bdb7 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -41,6 +41,7 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{PROC}/swaps r, # Other possible location of the cache file + /dev/.blkid.tab.old rwl -> /dev/.blkid.tab, /dev/.blkid.tab{,-@{rand6}} rw, /dev/blkid.tab.old rwl -> /dev/blkid.tab, diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 40c5199b3..af7436f39 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -11,6 +11,7 @@ profile cctk @{exec_path} { include include + capability dac_read_search, capability mknod, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index 61885ed4e..f8a2af5c4 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,26 +10,20 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include + include include include + include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # gpasswd is a SETUID binary capability setuid, network netlink raw, @{exec_path} mr, - owner @{PROC}/@{pid}/loginuid r, - /etc/shells r, /etc/passwd rw, @@ -44,6 +38,8 @@ profile chsh @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index c374d4685..332c1735c 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/cpuid profile cpuid @{exec_path} { include + include capability mknod, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index b3034dfef..182d9013d 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -29,7 +29,6 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/journal/socket rw, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 7f14df0e0..6dfb84452 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -21,10 +21,14 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal send set=kill peer=fractal//bwrap, + @{exec_path} mr, @{open_path} rPx -> child-open-help, + @{bin}/bwrap rCx -> bwrap, + /usr/share/glycin-loaders/{,**} r, /usr/share/xml/iso-codes/{,**} r, owner @{tmp}/.@{rand6} rw, @@ -37,6 +41,22 @@ profile fractal @{exec_path} flags=(attach_disconnected) { /dev/ r, + profile bwrap flags=(attach_disconnected) { + include + include + + signal receive set=kill peer=fractal, + + @{bin}/bwrap mr, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 6cee42be9..45b2ccfb4 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -42,7 +42,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system path=/org/freedesktop/UDisks2/Manager interface=org.freedesktop.UDisks2.Manager diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 2797ae2ba..bcb521c01 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,18 +20,22 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount options=(rw, rshared) -> @{run}/netns/, - mount options=(rw, rslave) -> /, + mount fstype=sysfs -> /sys/, + mount options=(rw bind) / -> @{run}/netns/*, + mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf, - mount fstype=sysfs -> /sys/, + mount options=(rw, rshared) -> @{run}/netns/, + mount options=(rw, rslave) -> /, umount @{run}/netns/*, umount /sys/, @{exec_path} mrix, + + # To run command with 'ip netns exec' @{shells_path} rUx, - @{bin}/sudo rPx, + @{bin}/sudo rPx, @{att}/ r, @@ -40,6 +44,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { /usr/share/iproute2/{,**} r, + @{run}/netns/ r, @{run}/netns/* rw, owner @{run}/netns/ rwk, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 3602a1a1e..8f2d53f76 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -28,7 +28,7 @@ profile issue-generator @{exec_path} { /etc/sysconfig/issue-generator r, @{run}/agetty.reload w, - @{run}/issue r, + @{run}/issue rw, @{run}/issue.@{rand10} rw, @{run}/issue.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 6e1a2d07a..63634d788 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -84,6 +84,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, owner @{tmp}/@{u64} rw, owner @{tmp}/*.tmp/{,**} rwk, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index cbaac35b7..9b32614a9 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -32,7 +32,7 @@ profile login @{exec_path} flags=(attach_disconnected) { signal (send) set=(hup term), - unix type=stream addr=@@{hex16}/bus/login/system, + unix type=stream addr=@@{udbus}/bus/login/system, ptrace read, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 3f0fe5d95..b390346bb 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -35,6 +35,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}-@{int}/address r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 0a9e1dc33..5f3912105 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -13,6 +13,8 @@ profile needrestart-apt-pinvoke @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b97c5e9a8..6847476e3 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -43,7 +43,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f332ef21f..a955a9c6d 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include + include include signal (receive) set=(int) peer=gpg-agent, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5bf8fceb8..7e63560ec 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -21,7 +21,7 @@ profile qemu-ga @{exec_path} { ptrace (read) peer=@{p_systemd}, - unix type=stream addr=@@{hex16}/bus/shutdown/system, + unix type=stream addr=@@{udbus}/bus/shutdown/system, #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index ddb62cb5f..d3a88d78a 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -26,7 +26,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 3d33e8a3e..83af575dd 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -25,7 +25,6 @@ profile scrcpy @{exec_path} { @{bin}/adb rPx, /usr/share/scrcpy/{,*} r, - /usr/share/icons/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 912ab1a8b..aa1f6b2b8 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -29,6 +29,7 @@ profile snap @{exec_path} { mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, #aa:dbus own bus=session name=io.snapcraft.Launcher + #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" @@ -41,10 +42,12 @@ profile snap @{exec_path} { @{exec_path} mrix, @{bin}/mount rix, + @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -108,6 +111,9 @@ profile snap @{exec_path} { network unix stream, + owner @{run}/user/@{uid}/systemd/notify rw, + owner @{run}/user/@{uid}/systemd/private rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 3021a1ad7..3ce5bfdd4 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -23,11 +23,17 @@ profile snap-update-ns @{exec_path} { mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, + umount /snap/**, umount /var/lib/dhcp/, + umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, + umount /usr/share/xml/iso-codes/, @{exec_path} mr, + @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, + /usr/share/xml/iso-codes/ w, + /var/lib/snapd/mount/{,*} r, / r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index d51c65d4d..63a1568b5 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -50,7 +50,7 @@ profile snapd @{exec_path} { ptrace (read) peer=snap, ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, + unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index e7a3b4946..6d873982b 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -17,6 +17,7 @@ profile snapd-apparmor @{exec_path} { @{bin}/systemd-detect-virt rPx, @{bin}/apparmor_parser rPx, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index ca9f66d27..1e6748235 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -31,8 +31,6 @@ profile sudo @{exec_path} flags=(attach_disconnected) { signal (send) set=(winch) peer=pacman, signal (send) set=(winch, hup, term) peer=rpm, - unix bind type=stream addr=@@{hex16}/bus/sudo/system/, - @{bin}/@{shells} rUx, @{lib}/** PUx, /opt/*/** PUx, diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 907def2b1..9b47b4df2 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -13,9 +13,8 @@ profile sync @{exec_path} { @{exec_path} mr, - # Common paths where sync is used to flush all write operations on a single file to disk - # TODO: /** rw, ? - /boot/initrd-*-default rw, + # All paths where sync can be used to flush all write operations on a single file to disk + /{,**} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b89d9c72f..9155adf84 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -67,7 +67,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -113,9 +113,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+vmbus:* r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @@ -128,6 +130,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 42ab87607..d27a34207 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -53,9 +53,10 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.* w, + @{HOME}/** wl, + @{HOME}/**/ r, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, + /etc/skel/{,.**} r, profile pam_tally2 { include diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index 56b89fa2a..4d75a70ed 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -17,7 +17,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, - @{att}/@{run}/uuidd/request w, + @{run}/uuidd/request rw, + @{att}/@{run}/uuidd/request rw, include if exists } diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 3745015c1..b23a7bc23 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -24,7 +24,7 @@ profile w @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/@{int} r, + @{run}/systemd/sessions/* r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index a24cefc01..2d1fccb32 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -11,4 +11,9 @@ @{p_systemd}=unconfined @{p_systemd_user}=unconfined +# Name of the dbus daemon profiles +@{p_dbus_system}=dbus-system +@{p_dbus_session}=dbus-session +@{p_dbus_accessibility}=dbus-accessibility + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0dc816899..78bb73b03 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -122,6 +122,9 @@ # Dbus unique name @{busname}=:1.@{u16} :not.active.yet +# Unix dbus address prefix +@{udbus}=@{hex15} @{hex16} + # Universally unique identifier @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} diff --git a/debian/rules b/debian/rules index 6e7d2d6e4..a30a693df 100755 --- a/debian/rules +++ b/debian/rules @@ -8,3 +8,6 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: + +# do not run 'make check' by default as it can be long for dev package +override_dh_auto_test: diff --git a/docs/development/directives.md b/docs/development/directives.md index 53c7e7dcd..841bc6608 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -140,7 +140,7 @@ The `exec` directive is useful to allow executing transitions to a profile witho include capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index f207e58a2..fad901581 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.: dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), ``` If there is no predictable label it can be omitted. diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats new file mode 100644 index 000000000..f66eb1f97 --- /dev/null +++ b/tests/bats/chsh.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=chsh +@test "chsh: [l]ist available shells" { + chsh --list-shells || true + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a specific login [s]hell for the current user" { + echo "$PASSWORD" | chsh --shell /usr/bin/bash + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a login [s]hell for a specific user" { + sudo chsh --shell /usr/bin/sh root + aa_check +} diff --git a/tests/bats/common.bash b/tests/bats/common.bash index c08d13758..f99c3c197 100644 --- a/tests/bats/common.bash +++ b/tests/bats/common.bash @@ -6,6 +6,9 @@ export BATS_LIB_PATH=${BATS_LIB_PATH:-/usr/lib/bats} load "$BATS_LIB_PATH/bats-support/load" +# User password for sudo commands +export PASSWORD=${PASSWORD:-user} + export XDG_CACHE_DIR=".cache" export XDG_CONFIG_DIR=".config" export XDG_DATA_DIR=".local/share" @@ -100,7 +103,7 @@ aa_check() { local now duration logs now=$(date +%s) - duration=$((now - _START + 2)) + duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" diff --git a/tests/bats/cpuid.bats b/tests/bats/cpuid.bats new file mode 100644 index 000000000..1b1226e2b --- /dev/null +++ b/tests/bats/cpuid.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=cpuid +@test "cpuid: Display information for all CPUs" { + cpuid + aa_check +} + +# bats test_tags=cpuid +@test "cpuid: Display information only for the current CPU" { + cpuid -1 + aa_check +} + +# bats test_tags=cpuid +@test "cpuid: Display raw hex information with no decoding" { + cpuid -r + aa_check +} diff --git a/tests/bats/df.bats b/tests/bats/df.bats index be2843213..ea9d3f44f 100644 --- a/tests/bats/df.bats +++ b/tests/bats/df.bats @@ -21,6 +21,12 @@ setup_file() { aa_check } +# bats test_tags=df +@test "df: Display the filesystem and its disk usage containing the given file or directory" { + df apparmor.d/ + aa_check +} + # bats test_tags=df @test "df: Include statistics on the number of free inodes" { df --inodes diff --git a/tests/bats/dfc.bats b/tests/bats/dfc.bats new file mode 100644 index 000000000..8a1d18918 --- /dev/null +++ b/tests/bats/dfc.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=dfc +@test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { + dfc + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { + dfc -a + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display filesystems without color" { + dfc -c never + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display filesystems containing "ext" in the filesystem type" { + dfc -t ext + aa_check +} diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats new file mode 100644 index 000000000..2ce622147 --- /dev/null +++ b/tests/bats/homectl.bats @@ -0,0 +1,59 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup + skip +} + +# bats test_tags=homectl +@test "homectl: Display help" { + homectl --no-pager --help + aa_check +} + +# bats test_tags=homectl +@test "homectl: Create a user account and their associated home directory" { + sudo homectl create user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: List user accounts and their associated home directories" { + homectl list + aa_check +} + +# bats test_tags=homectl +@test "homectl: Change the password for a specific user" { + sudo homectl passwd user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Run a shell or a command with access to a specific home directory" { + sudo homectl with user2 -- ls -al /home/user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Lock or unlock a specific home directory" { + sudo homectl lock user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { + sudo homectl resize user2 1G + aa_check +} + +# bats test_tags=homectl +@test "homectl: Remove a specific user and the associated home directory" { + sudo homectl remove user2 + aa_check +} diff --git a/tests/bats/hostnamectl.bats b/tests/bats/hostnamectl.bats new file mode 100644 index 000000000..dd4102575 --- /dev/null +++ b/tests/bats/hostnamectl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup() { + aa_setup +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Get the hostname of the computer" { + hostnamectl +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Get the location of the computer" { + hostnamectl location +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Set the hostname of the computer" { + name=$(hostnamectl hostname) + sudo hostnamectl set-hostname "new" + sudo hostnamectl set-hostname "$name" +} diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 980495d2d..47f16ccde 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -15,15 +15,9 @@ setup_file() { aa_check } -# bats test_tags=ip -@test "ip: List interfaces with brief network layer info" { - ip -brief address - aa_check -} - # bats test_tags=ip @test "ip: List interfaces with brief link layer info" { - ip -brief link + ip link aa_check } @@ -39,3 +33,13 @@ setup_file() { aa_check } +# bats test_tags=ip +@test "ip: Manage network namespace" { + sudo ip netns add foo + sudo ip netns list + sudo ip netns exec foo bash -c "pwd" + sudo ip netns delete foo + aa_check +} + + diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats new file mode 100644 index 000000000..8f646d89e --- /dev/null +++ b/tests/bats/lsusb.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=lsusb +@test "lsusb: List all the USB devices available" { + lsusb || true + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List the USB hierarchy as a tree" { + lsusb -t || true + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List verbose information about USB devices" { + lsusb --verbose || true + aa_check +} diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats index a54dda828..ef6a292da 100644 --- a/tests/bats/snap.bats +++ b/tests/bats/snap.bats @@ -7,7 +7,6 @@ load common setup_file() { aa_setup - skip } # bats test_tags=snap diff --git a/tests/bats/sync.bats b/tests/bats/sync.bats new file mode 100644 index 000000000..fba657ff7 --- /dev/null +++ b/tests/bats/sync.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=sync +@test "sync: Flush all pending write operations on all disks" { + sync + aa_check +} + +# bats test_tags=sync +@test "sync: Flush all pending write operations on a single file to disk" { + sudo sync / + aa_check +} diff --git a/tests/bats/systemd-ac-power.bats b/tests/bats/systemd-ac-power.bats new file mode 100644 index 000000000..78f68d13a --- /dev/null +++ b/tests/bats/systemd-ac-power.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-ac-power +@test "systemd-ac-power: Report whether we are connected to an external power source." { + systemd-ac-power || true + aa_check +} + +# bats test_tags=systemd-ac-power +@test "systemd-ac-power: Check if battery is discharging and low" { + systemd-ac-power --low || true + aa_check +} + diff --git a/tests/bats/systemd-analyze.bats b/tests/bats/systemd-analyze.bats new file mode 100644 index 000000000..3f6144a78 --- /dev/null +++ b/tests/bats/systemd-analyze.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: List all running units, ordered by the time they took to initialize" { + systemd-analyze --no-pager blame + aa_check +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: Print a tree of the time-critical chain of units" { + systemd-analyze --no-pager critical-chain + aa_check +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: Show security scores of running units" { + systemd-analyze --no-pager security + aa_check +} + diff --git a/tests/bats/systemd-cat.bats b/tests/bats/systemd-cat.bats new file mode 100644 index 000000000..595a6002d --- /dev/null +++ b/tests/bats/systemd-cat.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-cat +@test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { + systemd-cat pwd + aa_check +} + +# bats test_tags=systemd-cat +@test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { + echo apparmor.d-test-suite | systemd-cat + aa_check +} diff --git a/tests/bats/systemd-cgls.bats b/tests/bats/systemd-cgls.bats new file mode 100644 index 000000000..b5bb89de6 --- /dev/null +++ b/tests/bats/systemd-cgls.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display the whole control group hierarchy on your system" { + systemd-cgls --no-pager + aa_check +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display a control group tree of a specific resource controller" { + systemd-cgls --no-pager io + aa_check +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { + systemd-cgls --no-pager --unit systemd-logind + aa_check +} + diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats new file mode 100644 index 000000000..9a9def4da --- /dev/null +++ b/tests/bats/systemd-id128.bats @@ -0,0 +1,35 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Generate a new random identifier" { + systemd-id128 new + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Print the identifier of the current machine" { + systemd-id128 machine-id + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Print the identifier of the current boot" { + systemd-id128 boot-id + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { + systemd-id128 new --uuid + aa_check +} + diff --git a/tests/bats/systemd-sysusers.bats b/tests/bats/systemd-sysusers.bats new file mode 100644 index 000000000..f4230d6b6 --- /dev/null +++ b/tests/bats/systemd-sysusers.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { + systemd-sysusers --cat-config + aa_check +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { + systemd-sysusers --dry-run + aa_check +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Create users and groups from all configuration file" { + sudo systemd-sysusers + aa_check +} diff --git a/tests/bats/upower.bats b/tests/bats/upower.bats new file mode 100644 index 000000000..73afc18e6 --- /dev/null +++ b/tests/bats/upower.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=upower +@test "upower: Display power and battery information" { + upower --dump + aa_check +} + +# bats test_tags=upower +@test "upower: List all power devices" { + upower --enumerate + aa_check +} + +# bats test_tags=upower +@test "upower: Display version" { + upower --version + aa_check +} + diff --git a/tests/bats/useradd.bats b/tests/bats/useradd.bats new file mode 100644 index 000000000..833e01606 --- /dev/null +++ b/tests/bats/useradd.bats @@ -0,0 +1,49 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified shell" { + sudo useradd --shell /bin/bash --create-home user2 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified user ID" { + sudo useradd --uid 3000 user3 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { + sudo useradd --groups adm user4 + aa_check +} + + +# bats test_tags=useradd +@test "useradd: Create a new system user without the home directory" { + sudo useradd --system sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user" { + sudo userdel user3 + sudo userdel user4 + sudo userdel sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user along with the home directory and mail spool" { + sudo userdel --remove user2 + aa_check +} diff --git a/tests/bats/userdbctl.bats b/tests/bats/userdbctl.bats new file mode 100644 index 000000000..6169de44b --- /dev/null +++ b/tests/bats/userdbctl.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=userdbctl +@test "userdbctl: List all known user records" { + userdbctl --no-pager user + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: Show details of a specific user" { + userdbctl --no-pager user "$USER" + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: List all known groups" { + userdbctl --no-pager group + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: Show details of a specific group" { + sudo userdbctl --no-pager group "$USER" + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: List all services currently providing user/group definitions to the system" { + userdbctl --no-pager services + aa_check +} + diff --git a/tests/bats/uuidd.bats b/tests/bats/uuidd.bats new file mode 100644 index 000000000..e13653e3e --- /dev/null +++ b/tests/bats/uuidd.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=uuidd +@test "uuidd: Generate a random UUID" { + uuidd --random + aa_check +} + +# bats test_tags=uuidd +@test "uuidd: Generate a bulk number of random UUIDs" { + uuidd --random --uuids 10 + aa_check +} + +# bats test_tags=uuidd +@test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { + uuidd --time + aa_check +} + diff --git a/tests/bats/w.bats b/tests/bats/w.bats new file mode 100644 index 000000000..7f358aac7 --- /dev/null +++ b/tests/bats/w.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=w +@test "w: Display information about all users who are currently logged in" { + w + aa_check +} + +# bats test_tags=w +@test "w: Display information about a specific user" { + w root + aa_check +} diff --git a/tests/github.local b/tests/github.local new file mode 100644 index 000000000..b4119bc56 --- /dev/null +++ b/tests/github.local @@ -0,0 +1,9 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Local tunables addition for bats integration tests on Github Action + +@{p_dbus_system}+=unconfined +@{p_dbus_session}+=unconfined +@{p_dbus_accessibility}+=unconfined diff --git a/tests/requirements.sh b/tests/requirements.sh new file mode 100644 index 000000000..c12f9249c --- /dev/null +++ b/tests/requirements.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Dependencies for the bats integration tests + +set -eu + +# shellcheck source=/dev/null +_lsb_release() { + . /etc/os-release || exit 1 + echo "$ID" +} +DISTRIBUTION="$(_lsb_release)" + +case "$DISTRIBUTION" in +arch) + ;; +debian | ubuntu | whonix) + sudo apt-get install -y \ + cpuid dfc systemd-userdbd systemd-homed tlp + ;; +opensuse*) + ;; +*) ;; +esac