Add more integration tests

.github/workflows/main.yml

@@ -3,8 +3,19 @@ name: Ubuntu
 on: [push, pull_request, workflow_dispatch]
 
 jobs:
+  check:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      - name: Run basic profile linter check
+        run: |
+          make check
+
   build:
     runs-on: ${{ matrix.os }}
+    needs: check
     strategy:
       matrix:
         os:
@@ -89,11 +100,36 @@ jobs:
           sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
           sudo systemctl restart apparmor.service
 
+      - name: Restart some services to ensure they are confined
+        run: |
+          services=(
+            containerd cron
+            dbus docker
+            ModemManager multipathd
+            networkd-dispatcher
+            packagekit polkit
+            snapd
+            systemd-journald systemd-hostnamed systemd-logind systemd-networkd
+            systemd-resolved systemd-udevd
+            udisks2
+          )
+          sudo systemctl daemon-reload
+          for service in "${services[@]}"; do
+            sudo systemctl restart "$service" || systemctl status "$service.service" || true
+          done
+          sudo ps auxZ | grep -v '\[.*\]'
+          sudo aa-log -s --raw
+
+      - name: Install integration dependencies
+        run: |
+          bash tests/requirements.sh
+
       - name: Run the bats integration tests
         run: |
           make bats
 
-      - name: Show final AppArmor logs
+      - name: Show final AppArmor logs and processes security context
         if: always()
         run: |
           sudo aa-log -s --raw
+          sudo ps auxZ | grep -v '\[.*\]'

apparmor.d/abstractions/app/chromium

@@ -186,6 +186,7 @@
         @{PROC}/ r,
         @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/statm r,
         @{PROC}/@{pid}/task/@{tid}/status r,
         @{PROC}/pressure/{memory,cpu,io} r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
@@ -201,7 +202,6 @@
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_{,score_}adj rw,
   owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/statm r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,

apparmor.d/abstractions/app/sudo

@@ -24,10 +24,10 @@
 
   network netlink raw,   # PAM
 
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.logi1.Manager
-       member=CreateSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+  unix bind type=stream addr=@@{udbus}/bus/sudo/system,
+
+  #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
 
   dbus (send receive) bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd.Manager

apparmor.d/abstractions/app/systemctl

@@ -10,7 +10,7 @@
 
   ptrace read peer=@{p_systemd},
 
-  unix bind type=stream addr=@@{hex16}/bus/systemctl/,
+  unix bind type=stream addr=@@{udbus}/bus/systemctl/,
 
   @{bin}/systemctl mr,
 

apparmor.d/abstractions/attached/base

@@ -7,6 +7,10 @@
 
   abi <abi/4.0>,
 
+  @{att}/@{run}/systemd/journal/dev-log w,
+  @{att}/@{run}/systemd/journal/socket w,
+
+  deny /apparmor/.null rw,
   deny @{att}/apparmor/.null rw,
 
   include if exists <abstractions/attached/base.d>

apparmor.d/abstractions/base.d/complete

@@ -33,6 +33,4 @@
 
   @{PROC}/sys/kernel/core_pattern r,
 
-  deny /apparmor/.null rw,
-
 # vim:syntax=apparmor

apparmor.d/abstractions/bus-accessibility

@@ -7,12 +7,12 @@
   dbus send bus=accessibility path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
 
   dbus send bus=accessibility path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
 
   owner @{run}/user/@{uid}/at-spi/ rw,
   owner @{run}/user/@{uid}/at-spi/bus rw,

apparmor.d/abstractions/bus-session

@@ -11,12 +11,12 @@
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,

apparmor.d/abstractions/bus-system

@@ -7,12 +7,12 @@
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{run}/dbus/system_bus_socket rw,
 

apparmor.d/abstractions/bus/org.a11y

@@ -36,7 +36,7 @@
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus
        member=GetAddress
-       peer=(name=org.a11y.Bus, label=dbus-accessibility),
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
 
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus

apparmor.d/abstractions/bus/org.freedesktop.hostname1

@@ -14,6 +14,11 @@
        member={Get,GetAll}
        peer=(name=org.freedesktop.hostname1),
 
+  dbus receive bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
+
   include if exists <abstractions/bus/org.freedesktop.hostname1.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.systemd1

@@ -4,7 +4,7 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/org/freedesktop/systemd1
+  dbus send bus=system path=/org/freedesktop/systemd1{,/**}
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
        peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

apparmor.d/groups/_full/systemd

@@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{bin}/**                         Px,
   @{lib}/**                         Px,

apparmor.d/groups/_full/systemd-user

@@ -32,8 +32,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
 
   ptrace read peer=@{p_systemd},
 
-  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system,
-  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
+  unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system,
+  unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
 
   #aa:dbus own bus=session name=org.freedesktop.systemd1
 

apparmor.d/groups/apt/apt

@@ -34,7 +34,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {
 
   signal (send) peer=apt-methods-*,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/apt/system,
+  unix bind type=stream addr=@@{udbus}/bus/apt-get/system,
+  unix bind type=stream addr=@@{udbus}/bus/apt/system,
+
   unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
   unix (send, receive) type=stream peer=(label=snapd),
 
@@ -43,7 +45,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus/Bus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   dbus send bus=system
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/apt/apt-methods-file

@@ -30,8 +30,9 @@ profile apt-methods-file @{exec_path} {
 
   @{lib}/apt/apt-helper rix,
 
-  /etc/apt/apt.conf.d/{,*} r,
+  /etc/apt/apt-mirrors.txt r,
   /etc/apt/apt.conf r,
+  /etc/apt/apt.conf.d/{,*} r,
   /etc/apt/mirrors/* r,
 
   /usr/share/dpkg/cputable r,

apparmor.d/groups/apt/apt-methods-mirror

@@ -28,6 +28,7 @@ profile apt-methods-mirror @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/apt/apt-mirrors.txt r,
   /etc/apt/mirrors/* r,
 
   # For shell pwd

apparmor.d/groups/apt/unattended-upgrade

@@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   signal (send) peer=apt-methods-http,
 
-  unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
+  unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
 
   @{exec_path} mr,
 

apparmor.d/groups/bus/at-spi2-registryd

@@ -20,7 +20,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   signal receive set=hup  peer=gdm-session-worker,
 
   #aa:dbus own bus=accessibility name=org.a11y.atspi
-  #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
+  #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}"
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/bus/dbus-system

@@ -33,7 +33,10 @@ profile dbus-system flags=(attach_disconnected) {
 
   ptrace (read) peer=@{p_systemd},
 
-  #aa:dbus own bus=system name=org.freedesktop.DBus
+  #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
+  dbus receive bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       peer=(name=@{busname}),
 
   @{exec_path} mrix,
 

apparmor.d/groups/bus/ibus-engine-simple

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple
 profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/ibus>
@@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
   owner @{desktop_config_dirs}/ibus/bus/ r,
   owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/ibus-engine-simple>
 }
 

apparmor.d/groups/bus/ibus-x11

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,ibus/}ibus-x11
 profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
@@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/ibus/bus/ r,
   owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/ibus-x11>
 }
 

apparmor.d/groups/cron/cron-apport

@@ -18,7 +18,7 @@ profile cron-apport @{exec_path} {
 
   / r,
   /var/crash/ r,
-  /var/crash/*.crash w,
+  /var/crash/* w,
 
   include if exists <local/cron-apport>
 }

apparmor.d/groups/freedesktop/accounts-daemon

@@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/colord

@@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mrix,
 

apparmor.d/groups/freedesktop/geoclue

@@ -29,7 +29,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/pipewire

@@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/freedesktop/pipewire-media-session

@@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} {
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixProcessID
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/freedesktop/polkitd

@@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
   @{exec_path} mr,
 
@@ -53,6 +53,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
         /var/lib/polkit{,-1}/localauthority/{,**} r,
   owner /var/lib/polkit{,-1}/.cache/ rw,
 
+  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
+
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
 

apparmor.d/groups/freedesktop/upower

@@ -10,9 +10,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/upower
 profile upower @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>
 
-  # Needed?
-  audit capability sys_nice,
+  #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd
 
   @{exec_path} mr,