Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression: session names #634

Closed
wants to merge 76 commits into from
Closed

Regression: session names #634

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
76 commits
Select commit Hold shift + click to select a range
f1118cd
Create profile_check.py
nobody43 Nov 18, 2024
46c5381
Update profile_check.py
nobody43 Nov 18, 2024
59d7980
polishing
nobody43 Nov 19, 2024
c9b1dde
Update profile_check.py
nobody43 Nov 22, 2024
93085ec
Update profile_check.py
nobody43 Nov 23, 2024
f75fa9a
fix exec_path bug, ignore skipable files
nobody43 Nov 23, 2024
784fe5f
feat(profile): small profile update.
roddhjav Nov 11, 2024
c6064a7
tests(integration): add more tests.
roddhjav Oct 22, 2024
d40b112
fix(test): minor fixes.
roddhjav Oct 22, 2024
d85416e
feat(profile): update systemd profiles.
roddhjav Nov 12, 2024
06dd90b
feat(abs): cover more commonly attached path.
roddhjav Nov 12, 2024
771673c
feat(profile): update some core profiles.
roddhjav Nov 12, 2024
245e26f
feat(profile): fractal uses bwrap for loading image.
roddhjav Nov 12, 2024
9aca449
tests: add more integration tests for core tools.
roddhjav Nov 12, 2024
562fcc8
tests(ci): install integration tests requirements.
roddhjav Nov 12, 2024
b30d077
feat(profile): improve support for some profiles.
roddhjav Nov 12, 2024
469677e
feat(profile): add homectl.
roddhjav Nov 12, 2024
93ade22
fix(profile): linting issue.
roddhjav Nov 12, 2024
9ddfc9e
build(debian): disable make check by default on pkg build.
roddhjav Nov 12, 2024
72f75b9
feat(profile): small profile improvments.
roddhjav Nov 13, 2024
349ca76
feat(tunable): add p_dbus_* variables.
roddhjav Nov 13, 2024
b36a980
ci(github): set local tunable for github actions.
roddhjav Nov 13, 2024
c536794
fix(profile): ensure useradd can fully populate the skelleton.
roddhjav Nov 13, 2024
1467c2c
fix(profile): minor fixes.
roddhjav Nov 13, 2024
87f6c11
feat: profiles and integration tests improvments.
roddhjav Nov 19, 2024
a6225df
ci(github): restart some services to ensure they are confined.
roddhjav Nov 19, 2024
57aa1b7
fix(profile): minor improvment to ensure tests passes.
roddhjav Nov 19, 2024
d48ef02
ci(github): split the final step in two.
roddhjav Nov 19, 2024
7c96657
fix: missing @{udbus} in unix bind.
roddhjav Nov 19, 2024
971d9da
tests: cleanup the basic structure of integration tests.
roddhjav Nov 19, 2024
0720a67
tests: cleanup the basic structure of integration tests.
roddhjav Nov 19, 2024
6dfa033
Update sysctl
odomingao Nov 18, 2024
e00c151
fix(ci): remove forced color from github action.
roddhjav Nov 19, 2024
0c6d888
fix(tests): missing sudo in ip integration test.
roddhjav Nov 19, 2024
e266638
fix(profile): dhcpcd executes resolvconf
roddhjav Nov 19, 2024
1dad5ab
feat(abs): vulkan allow write access to builtin_shaders.
roddhjav Nov 19, 2024
3c75243
feat(abs): add the wine abstraction.
roddhjav Nov 19, 2024
354f6ee
tests: remove hanged test
roddhjav Nov 19, 2024
1d41890
feat(profile): general update.
roddhjav Nov 19, 2024
5840e59
tests: enable the homectl tests.
roddhjav Nov 19, 2024
97f4c51
tests: add dmesg.bats
roddhjav Nov 20, 2024
9711d43
tests: ensure systemd-homed is started before the homectl test.
roddhjav Nov 20, 2024
c4b42f1
tests: add fwupdmgr.bats
roddhjav Nov 20, 2024
30860ad
tests: add groupmod.
roddhjav Nov 20, 2024
70497e7
fix(tests): ensure fwupdmgr don't fail even if the target does not su…
roddhjav Nov 21, 2024
4fe13bc
feat(profile): add fc-match & fc-pattern.
roddhjav Nov 21, 2024
ae13890
test(integration): add sysctl.
roddhjav Nov 21, 2024
25bd355
feat(profile): add needrestart-vmlinuz-get-version & tests for needre…
roddhjav Nov 21, 2024
17fe134
fix(tunable): udbus can be any hex up to 16.
roddhjav Nov 21, 2024
64b8cf4
fix(integration): disable needrestart test due to upstream issue.
roddhjav Nov 21, 2024
1ad6091
feat(abs): add abstraction/webkit.
roddhjav Nov 21, 2024
2f70940
feat(profile): add profile for tecla.
roddhjav Nov 21, 2024
9e791de
feat(profile): general update.
roddhjav Nov 21, 2024
c7955ca
feat(tunable): unify some XDG and user dirs varibale name.
roddhjav Nov 21, 2024
0b1c265
Add profile for iftop (#604)
doublez13 Nov 21, 2024
5a05744
add more lxqt files (#600)
Besanon Nov 23, 2024
4ba9706
add profile for swayimg (#612)
valoq Nov 23, 2024
c936bd5
Fix typo
odomingao Nov 24, 2024
415efb4
feat(profile): improve some core profiles.
roddhjav Nov 29, 2024
5fffc95
feat(profile): needrestart improve mqueue rule.
roddhjav Nov 29, 2024
85236a5
fix: apparmor parser inside snap.
roddhjav Dec 11, 2024
929bcaa
feat: improve dbus integration for chsh, better handling of generic n…
roddhjav Dec 11, 2024
8944954
feat(profile): minor update.
roddhjav Dec 11, 2024
72733d3
fix(profile): snap integration with dbus.
roddhjav Dec 11, 2024
13cf860
fix(profile): cron communication with dbus.
roddhjav Dec 12, 2024
d243a4a
fix(profile): snapd
roddhjav Dec 12, 2024
0f5f631
Add wttrbar
odomingao Dec 6, 2024
f08bfc2
more lxqt-files (#613)
Besanon Dec 13, 2024
ea507d6
feat(profile): firefox: restric access to /tmp
roddhjav Dec 23, 2024
ef13380
feat(profile): firefox: better naming of possible attachment.
roddhjav Dec 23, 2024
dda98be
non-owner accesses authorized_keys
beroal Dec 17, 2024
a7e570a
fix(profile): sensors: simplify hwmon access.
roddhjav Dec 23, 2024
24938f6
systemd user ask-password
beroal Dec 15, 2024
915d7e8
fix(profile): pacman-hook-systemd: add systemd-tty-ask-password-agent.
roddhjav Dec 24, 2024
ab5eaaa
feat(profile): various improvements and update.
roddhjav Dec 24, 2024
d0b5e2e
regression: session names
nobody43 Dec 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/local/needrestart
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@

/var/lib/waagent/** r,
41 changes: 41 additions & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,19 @@ name: Ubuntu
on: [push, pull_request, workflow_dispatch]

jobs:
check:
runs-on: ubuntu-24.04
steps:
- name: Check out repository code
uses: actions/checkout@v4

- name: Run basic profile linter check
run: |
make check

build:
runs-on: ${{ matrix.os }}
needs: check
strategy:
matrix:
os:
Expand Down Expand Up @@ -83,12 +94,37 @@ jobs:
sudo apt-get install -y \
apparmor-profiles apparmor-utils \
bats bats-support
sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart

- name: Install apparmor.d
run: |
sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
sudo systemctl restart apparmor.service

- name: Restart some services to ensure they are confined
run: |
services=(
containerd cron
dbus docker
ModemManager multipathd
networkd-dispatcher
packagekit polkit
snapd
systemd-journald systemd-hostnamed systemd-logind systemd-networkd
systemd-resolved systemd-udevd
udisks2
)
sudo systemctl daemon-reload
for service in "${services[@]}"; do
sudo systemctl restart "$service" || systemctl status "$service.service" || true
done
sudo ps auxZ | grep -v '\[.*\]'
sudo aa-log -s --raw

- name: Install integration dependencies
run: |
bash tests/requirements.sh

- name: Run the bats integration tests
run: |
make bats
Expand All @@ -97,3 +133,8 @@ jobs:
if: always()
run: |
sudo aa-log -s --raw

- name: Show final processes security context
if: always()
run: |
sudo ps auxZ | grep -v '\[.*\]'
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ check:

.PHONY: bats
bats:
@bats --print-output-on-failure tests/bats/
@bats --timing --print-output-on-failure tests/bats/

.PHONY: manual
manual:
Expand Down
2 changes: 1 addition & 1 deletion apparmor.d/abstractions/app/chromium
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@
@{PROC}/ r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pid}/task/@{tid}/status r,
@{PROC}/pressure/{memory,cpu,io} r,
@{PROC}/sys/fs/inotify/max_user_watches r,
Expand All @@ -201,7 +202,6 @@
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/statm r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,
Expand Down
4 changes: 2 additions & 2 deletions apparmor.d/abstractions/app/firefox
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
owner @{tmp}/Temp-@{uuid}/ rw,
owner @{tmp}/Temp-@{uuid}/* rwk,
owner @{tmp}/tmp-*.xpi rw,
owner @{tmp}/tmpaddon r,
owner @{tmp}/tmpaddon rw,
owner @{tmp}/tmpaddon-@{int} r,

owner /dev/shm/org.chromium.@{rand6} rw,
Expand All @@ -125,7 +125,7 @@
@{sys}/devices/power/events/energy-* r,
@{sys}/devices/power/type r,
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,

@{PROC}/@{pid}/net/arp r,
Expand Down
8 changes: 4 additions & 4 deletions apparmor.d/abstractions/app/sudo
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,10 @@

network netlink raw, # PAM

dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.logi1.Manager
member=CreateSession
peer=(name=org.freedesktop.login1, label=systemd-logind),
unix bind type=stream addr=@@{udbus}/bus/sudo/system,

#aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
#aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind

dbus (send receive) bus=session path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd.Manager
Expand Down
2 changes: 1 addition & 1 deletion apparmor.d/abstractions/app/systemctl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@

ptrace read peer=@{p_systemd},

unix bind type=stream addr=@@{hex16}/bus/systemctl/,
unix bind type=stream addr=@@{udbus}/bus/systemctl/,

@{bin}/systemctl mr,

Expand Down
4 changes: 4 additions & 0 deletions apparmor.d/abstractions/attached/base
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@

abi <abi/4.0>,

@{att}/@{run}/systemd/journal/dev-log w,
@{att}/@{run}/systemd/journal/socket w,

deny /apparmor/.null rw,
deny @{att}/apparmor/.null rw,

include if exists <abstractions/attached/base.d>
Expand Down
2 changes: 0 additions & 2 deletions apparmor.d/abstractions/base.d/complete
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,4 @@

@{PROC}/sys/kernel/core_pattern r,

deny /apparmor/.null rw,

# vim:syntax=apparmor
4 changes: 2 additions & 2 deletions apparmor.d/abstractions/bus-accessibility
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@
dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),

dbus send bus=accessibility path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),

owner @{run}/user/@{uid}/at-spi/ rw,
owner @{run}/user/@{uid}/at-spi/bus rw,
Expand Down
4 changes: 2 additions & 2 deletions apparmor.d/abstractions/bus-session
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label=dbus-session),
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-session),
peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),

/etc/machine-id r,
/var/lib/dbus/machine-id r,
Expand Down
4 changes: 2 additions & 2 deletions apparmor.d/abstractions/bus-system
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
peer=(name=org.freedesktop.DBus, label=dbus-system),
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),

dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName}
peer=(name=org.freedesktop.DBus, label=dbus-system),
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),

@{run}/dbus/system_bus_socket rw,

Expand Down
2 changes: 1 addition & 1 deletion apparmor.d/abstractions/bus/org.a11y
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
member=GetAddress
peer=(name=org.a11y.Bus, label=dbus-accessibility),
peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),

dbus send bus=session path=/org/a11y/bus
interface=org.a11y.Bus
Expand Down
5 changes: 5 additions & 0 deletions apparmor.d/abstractions/bus/org.freedesktop.hostname1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@
member={Get,GetAll}
peer=(name=org.freedesktop.hostname1),

dbus receive bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),

include if exists <abstractions/bus/org.freedesktop.hostname1.d>

# vim:syntax=apparmor
2 changes: 1 addition & 1 deletion apparmor.d/abstractions/bus/org.freedesktop.systemd1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

abi <abi/4.0>,

dbus send bus=system path=/org/freedesktop/systemd1
dbus send bus=system path=/org/freedesktop/systemd1{,/**}
interface=org.freedesktop.DBus.Properties
member={Get,GetAll}
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
Expand Down
7 changes: 5 additions & 2 deletions apparmor.d/abstractions/common/bwrap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,11 @@
owner /tmp/newroot/ w,
owner /tmp/oldroot/ w,

@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/user/max_user_namespaces r,
owner @{PROC}/@{pid}/fd/ r,

@{att}/@{PROC}/sys/user/max_user_namespaces rw,
owner @{att}/@{PROC}/@{pid}/cgroup r,
owner @{att}/@{PROC}/@{pid}/fd/ r,
Expand Down
2 changes: 1 addition & 1 deletion apparmor.d/abstractions/deny-sensitive-home
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl,
deny @{run}/user/@{uid}/keyring** mrwkl,
deny @{user_config_dirs}/*-store/{,**} mrwkl,
deny @{user_password_store_dirs}/{,**} mrwkl,
deny @{user_passwordstore_dirs}/{,**} mrwkl,
deny @{user_share_dirs}/kwalletd/{,**} mrwkl,

# Privacy violations
Expand Down
1 change: 1 addition & 0 deletions apparmor.d/abstractions/vulkan-strict
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw,
owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw,
owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w,

owner @{user_share_dirs}/vulkan/ rw,
owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw,
Expand Down
31 changes: 31 additions & 0 deletions apparmor.d/abstractions/webkit
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <[email protected]>
# SPDX-License-Identifier: GPL-2.0-only

# Minimal set of rules for webkit UI.

abi <abi/4.0>,

mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info,

@{bin}/xdg-dbus-proxy rix,

@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,

owner /bindfile@{rand6} rw,
owner @{att}/.flatpak-info r,

owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,

owner @{run}/user/@{uid}/.flatpak/ w,
owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw,

owner @{run}/user/@{uid}/webkitgtk/ w,
owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw,
owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,

include if exists <abstractions/webkit.d>

# vim:syntax=apparmor
20 changes: 20 additions & 0 deletions apparmor.d/abstractions/wine
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <[email protected]>
# SPDX-License-Identifier: GPL-2.0-only

# Basic set of resources for wine regardless of the installation method (system or through a game launcher).

abi <abi/4.0>,

owner @{user_share_dirs}/applications/wine/ rw,
owner @{user_share_dirs}/applications/wine/**/ rw,

owner @{tmp}/.wine-@{uid}/ rw,
owner @{tmp}/.wine-@{uid}/** rwk,

owner /dev/shm/wine-@{hex6}-fsync rw,
owner /dev/shm/wine-@{hex6}@{h}-fsync rw,

include if exists <abstractions/wine.d>

# vim:syntax=apparmor
2 changes: 1 addition & 1 deletion apparmor.d/groups/_full/systemd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=GetConnectionUnixUser
peer=(name=org.freedesktop.DBus, label=dbus-system),
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),

@{bin}/** Px,
@{lib}/** Px,
Expand Down
4 changes: 2 additions & 2 deletions apparmor.d/groups/_full/systemd-user
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {

ptrace read peer=@{p_systemd},

unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system,
unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system,
unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user,

#aa:dbus own bus=session name=org.freedesktop.systemd1

Expand Down
6 changes: 4 additions & 2 deletions apparmor.d/groups/apt/apt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {

signal (send) peer=apt-methods-*,

unix (bind) type=stream addr=@@{hex16}/bus/apt/system,
unix bind type=stream addr=@@{udbus}/bus/apt-get/system,
unix bind type=stream addr=@@{udbus}/bus/apt/system,

unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
unix (send, receive) type=stream peer=(label=snapd),

Expand All @@ -43,7 +45,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
dbus send bus=system path=/org/freedesktop/DBus/Bus
interface=org.freedesktop.DBus
member={GetConnectionUnixProcessID,GetConnectionUnixUser}
peer=(name=org.freedesktop.DBus, label=dbus-system),
peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),

dbus send bus=system
interface=org.freedesktop.DBus.Introspectable
Expand Down
3 changes: 2 additions & 1 deletion apparmor.d/groups/apt/apt-methods-file
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,9 @@ profile apt-methods-file @{exec_path} {

@{lib}/apt/apt-helper rix,

/etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt-mirrors.txt r,
/etc/apt/apt.conf r,
/etc/apt/apt.conf.d/{,*} r,
/etc/apt/mirrors/* r,

/usr/share/dpkg/cputable r,
Expand Down
1 change: 1 addition & 0 deletions apparmor.d/groups/apt/apt-methods-mirror
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ profile apt-methods-mirror @{exec_path} {

@{exec_path} mr,

/etc/apt/apt-mirrors.txt r,
/etc/apt/mirrors/* r,

# For shell pwd
Expand Down
2 changes: 1 addition & 1 deletion apparmor.d/groups/apt/unattended-upgrade
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

signal (send) peer=apt-methods-http,

unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,

@{exec_path} mr,

Expand Down
Loading