feat: profiles and integration tests improvments.

Add the udbus variable to be used in `unix bind` rule for dbus.
roddhjav · Nov 19, 2024 · 4e5f4cb · 4e5f4cb
1 parent b4bcb2f
commit 4e5f4cb
Show file tree

Hide file tree

Showing 43 changed files with 81 additions and 47 deletions.
diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
@@ -24,10  24,10 @@
 
   network netlink raw,   # PAM
 
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.logi1.Manager
-       member=CreateSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
   unix bind type=stream addr=@@{udbus}/bus/sudo/system,
 
   #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
   #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
 
   dbus (send receive) bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd.Manager

diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl
@@ -10,7  10,7 @@
 
   ptrace read peer=@{p_systemd},
 
-  unix bind type=stream addr=@@{hex16}/bus/systemctl/,
   unix bind type=stream addr=@@{udbus}/bus/systemctl/,
 
   @{bin}/systemctl mr,
 

diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base
@@ -7,8  7,10 @@
 
   abi <abi/4.0>,
 
   @{att}/@{run}/systemd/journal/dev-log w,
   @{att}/@{run}/systemd/journal/socket w,
 
   deny /apparmor/.null rw,
   deny @{att}/apparmor/.null rw,
 
   include if exists <abstractions/attached/base.d>

diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
@@ -32,8  32,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
 
   ptrace read peer=@{p_systemd},
 
-  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system,
-  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
   unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system,
   unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
 
   #aa:dbus own bus=session name=org.freedesktop.systemd1
 

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
@@ -34,7  34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
 
   signal (send) peer=apt-methods-*,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/apt/system,
   unix (bind) type=stream addr=@@{udbus}/bus/apt/system,
   unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
   unix (send, receive) type=stream peer=(label=snapd),
 

diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
@@ -33,7  33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   signal (send) peer=apt-methods-http,
 
-  unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
   unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
@@ -33,7  33,7 @@ profile dbus-system flags=(attach_disconnected) {
 
   ptrace (read) peer=@{p_systemd},
 
-  #aa:dbus own bus=system name=org.freedesktop.DBus
   #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
 
   @{exec_path} mrix,
 

diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
@@ -47,7  47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   signal (send) set=hup peer=xorg,
   signal (send) set=hup peer=xwayland,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system,
   unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
 
   #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
 

diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
@@ -25,9  25,13 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
   @{run}/udev/data/ acpi:* r,             # for acpi
   @{run}/udev/data/ pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/ platform:* r,
   @{run}/udev/data/ pnp:* r,
   @{run}/udev/data/ serial*:* r,
   @{run}/udev/data/ usb:* r,
   @{run}/udev/data/ vmbus:* r,
   @{run}/udev/data/c16[6,7]:@{int} r,     # USB modems
   @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
   @{run}/udev/data/c4:@{int} r,           # for /dev/tty[0-9]*
@@ -43,9  47,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/tty/ r,
   @{sys}/class/wwan/ r,
 
-  @{sys}/devices/**/uevent r,
   @{sys}/devices/@{pci}/revision r,
-  @{sys}/devices/virtual/net/*/ r,
   @{sys}/devices/**/net/*/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/virtual/tty/*/ r,
 
   include if exists <local/ModemManager>

diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
@@ -47,6  47,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
   #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
 
   dbus send bus=system path=/org/freedesktop/nm_dispatcher
        interface=org.freedesktop.nm_dispatcher
        peer=(name=org.freedesktop.nm_dispatcher),
 
   dbus receive bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
@@ -128,10  132,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/ rfkill:* r,
   @{run}/udev/data/n@{int} r,
 
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/virtual/net/{,**} r,
   @{sys}/devices/@{pci}/net/*/{,**} r,
   @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r,
   @{sys}/devices/**/@{uuid}/net/*/{,**} r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/virtual/net/{,**} r,
 
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/environ r,

diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script
@@ -12,6  12,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
   network netlink raw,
 
   @{exec_path} mr,
 
   @{lib}/netplan/generate  rix,
@@ -22,15  24,25 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
 
   /etc/netplan/{,*} r,
 
-  @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
   @{run}/netplan/ r,
 
   @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw,
   @{run}/NetworkManager/system-connections/ rw,
   @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
 
   @{run}/systemd/network/ r,
   @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw,
   @{run}/systemd/system/ r,
   @{run}/systemd/system/netplan-* rw,
   @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r,
   @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw,
   @{run}/systemd/system/systemd-networkd.service.wants/ rw,
   @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
 
   @{run}/udev/rules.d/ r,
-  @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,
   @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
 
   @{sys}/devices/**/net/*/address r,
 
   profile udevadm {
     include <abstractions/base>

diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online
@@ -11,6  11,7 @@ profile nm-online @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/consoles>
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
        interface=org.freedesktop.NetworkManager.Connection.Active

diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli
@@ -9,10  9,14 @@ include <tunables/global>
 @{exec_path} = @{bin}/nmcli
 profile nmcli @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/consoles>
 
   capability dac_read_search,
   capability sys_nice,
 
   #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
 
   @{exec_path} mr,
 
   @{pager_path}          rPx -> child-pager,

diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen
@@ -22,6  22,7 @@ profile ssh-keygen @{exec_path} {
   owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,
 
   /tmp/snapd@{int}/*_*{,.pub} w,
   /tmp/snapd@{int}/*.key{,.pub} w,
 
   /dev/tty@{int} rw,
   /dev/ttyS@{int} rw,

diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
@@ -53,7  53,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read,trace) peer=@{p_systemd},
 
-  unix (bind) type=stream addr=@@{hex16}/bus/sshd/system,
   unix (bind) type=stream addr=@@{udbus}/bus/sshd/system,
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager

diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
@@ -22,7  22,7 @@ profile busctl @{exec_path} {
 
   ptrace (read),
 
-  unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl,
   unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl,
 
   signal (send) set=(cont) peer=child-pager,
 

diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl
@@ -10,6  10,7 @@ include <tunables/global>
 profile hostnamectl @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/consoles>
 
   capability net_admin,

diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
@@ -24,7  24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read) peer=@{p_systemd},
 
-  unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system,
   unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system,
 
   #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
   # No label available

diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
@@ -22,7  22,7 @@ profile systemd-analyze @{exec_path} {
 
   signal (send) peer=child-pager,
 
-  unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system,
   unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system,
 
   #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
 

diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls
@@ -19,7  19,7 @@ profile systemd-cgls @{exec_path} {
 
   signal send set=cont peer=child-pager,
 
-  unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system,
   unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system,
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed
@@ -35,6  35,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   mount options=(rw, rslave) -> @{run}/,
   mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/,
 
   unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system,
 
   #aa:dbus own bus=system name=org.freedesktop.home1
 
   @{exec_path} mr,
@@ -61,6  63,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/home/{,**} rw,
   @{run}/systemd/userdb/io.systemd.home r,
   @{run}/systemd/user-home-mount/{,**} rw,
   @{run}/systemd/notify w,
 
   @{sys}/bus/ r,
   @{sys}/fs/ r,

diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -18,7  18,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
 
   network unix stream,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system,
 
   #aa:dbus own bus=system name=org.freedesktop.hostname1
 

diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
@@ -14,7  14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/common/systemd>
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system,
 
   #aa:dbus own bus=system name=org.freedesktop.locale1
 

diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
@@ -29,7  29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
 
   mqueue r type=posix /,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system,
 
   #aa:dbus own bus=system name=org.freedesktop.login1
 

diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
@@ -27,7  27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
   network packet dgram,
   network packet raw,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network,
 
   #aa:dbus own bus=system name=org.freedesktop.network1
 

diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd
@@ -15,7  15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
   capability dac_override,
   capability kill,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom,
 
   #aa:dbus own bus=system name=org.freedesktop.oom1
 

diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated
@@ -15,7  15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
 
   capability sys_time,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system,
 
   #aa:dbus own bus=system name=org.freedesktop.timedate1
 

diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd
@@ -21,7  21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync,
   unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none),
 
   #aa:dbus own bus=system name=org.freedesktop.timesync1

diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp
@@ -17,7  17,7 @@ profile systemd-update-utmp @{exec_path} {
 
   network netlink raw,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/,
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@@ -25,7  25,7 @@ profile systemd-user-runtime-dir @{exec_path} {
   mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
   umount @{run}/user/@{uid}/,
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd-user-ru/system,
 
   @{exec_path} mr,
 

diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
@@ -22,7  22,7 @@ profile update-notifier @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
   unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
 
   #aa:dbus talk bus=system name=org.debian.apt label=apt
   #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
@@ -87,7  87,7 @@ profile update-notifier @{exec_path} {
     include <abstractions/app/systemctl>
     include <abstractions/bus-system>
 
-    unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system,
     unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system,
 
     dbus send bus=system path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd1.Manager

diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login
@@ -32,7  32,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
 
   signal (send) set=(hup term),
 
-  unix type=stream addr=@@{hex16}/bus/login/system,
   unix type=stream addr=@@{udbus}/bus/login/system,
 
   ptrace read,
 

diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
@@ -13,6  13,8 @@ profile needrestart-apt-pinvoke @{exec_path} {
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/consoles>
 
   capability dac_read_search,
 
   @{exec_path} mr,
 
   @{sh_path}              rix,

diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga
@@ -21,7  21,7 @@ profile qemu-ga @{exec_path} {
 
   ptrace (read) peer=@{p_systemd},
 
-  unix type=stream addr=@@{hex16}/bus/shutdown/system,
   unix type=stream addr=@@{udbus}/bus/shutdown/system,
 
   #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind