hilfe mein git ist komisch

2026-01-08 18:34:49 +01:00
parent 710537a25d
commit b2d2dce845
4644 changed files with 94994 additions and 1763 deletions
--- a/etc/apparmor.d/ubuntu_pro_esm_cache
+++ b/etc/apparmor.d/ubuntu_pro_esm_cache
@@ -0,0 +1,303 @@
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+# attach_disconnected is needed in all profiles defined here because this
+# service runs with systemd's PrivateTmp=true
+
+profile ubuntu_pro_esm_cache flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/python>
+  include <abstractions/user-tmp>
+
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability kill,
+  capability setgid,
+  capability setuid,
+
+  signal send set=int peer=ubuntu_pro_esm_cache//apt_methods,
+  signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv,
+
+  /etc/apt/** r,
+  /etc/machine-id r,
+  /etc/ubuntu-advantage/uaclient.conf r,
+  # GH: #3109
+  # Allow reading the os-release file (possibly a symlink to /usr/lib).
+  /{etc/,usr/lib/,lib/}os-release r,
+
+  /run/ubuntu-advantage/ rw,
+  /run/ubuntu-advantage/** rw,
+
+  /run/systemd/container/ r,
+  /run/systemd/container/** r,
+
+  /{,usr/}bin/apt mrix,
+  /{,usr/}bin/apt-cache mrix,
+  /{,usr/}bin/ischroot mrix,
+  /{,usr/}bin/python3.{1,}[0-9] mrix,
+  # LP: #2067319, #2123870
+  /{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}uname mrix,
+
+  /{,usr/}bin/cloud-id Cx -> cloud_id,
+  # LP: #2067319
+  /{,usr/}bin/ps Cx -> ps,
+  /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
+  /{,usr/}bin/dpkg Cx -> dpkg,
+  /{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info,
+  /{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv,
+  /{,usr/}lib/apt/methods/http Cx -> apt_methods,
+  /{,usr/}lib/apt/methods/https Cx -> apt_methods,
+  /{,usr/}lib/apt/methods/store Cx -> apt_methods,
+  # when there is no status.json cached, esm-cache.service will invoke "snap status"
+  /{,usr/}bin/snap PUx,
+
+  /usr/share/dpkg/** r,
+  /usr/share/keyrings/* r,
+
+  /var/cache/apt/** rw,
+
+  /var/lib/apt/** r,
+  /var/lib/dpkg/** r,
+  /var/lib/ubuntu-advantage/** rwk,
+
+  /var/log/ubuntu-advantage.log rw,
+
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/1/cgroup r,
+  @{PROC}/version_signature r,
+  @{PROC}/@{pid}/mountinfo r,
+  @{PROC}/@{pid}/status r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/sys/kernel/osrelease r,
+
+
+
+  profile ps flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/nameservice>
+
+    capability sys_ptrace,
+
+    # GH: #3079
+    capability dac_read_search,
+    capability dac_override,
+
+    # GH: #3119
+    ptrace (read,trace),
+
+    # LP: #2067319
+    /{,usr/}bin/ps mrix,
+
+    /dev/tty r,
+
+    @{PROC}/ r,
+    @{PROC}/@{pid}/** r,
+    @{PROC}/uptime r,
+    @{PROC}/sys/kernel/** r,
+    # GH: #3079
+    @{PROC}/tty/drivers r,
+    /sys/devices/system/node/ r,
+    /sys/devices/system/node/** r,
+  }
+
+  profile cloud_id flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/nameservice>
+    include <abstractions/openssl>
+    include <abstractions/python>
+
+    ptrace read peer=unconfined,
+
+    /etc/cloud/** r,
+    /etc/apt/** r,
+    /etc/apport/** r,
+
+    @{PROC}/@{pid}/fd/ r,
+    @{PROC}/cmdline r,
+    @{PROC}/1/environ r,
+    @{PROC}/1/cmdline r,
+    @{PROC}/@{pid}/status r,
+
+    /run/cloud-init/** r,
+
+    /{,usr/}bin/ r,
+    /{,usr/}bin/cloud-id r,
+    /{,usr/}bin/python3.{1,}[0-9] mrix,
+    # LP: #2067319, #2123870
+    /{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}uname mrix,
+
+    /usr/share/dpkg/** r,
+
+    # workarounds for
+    # https://gitlab.com/apparmor/apparmor/-/issues/346
+    # LP: #2067319
+    /{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl,
+    /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
+
+    /var/lib/cloud/** r,
+
+
+
+  }
+
+  profile dpkg flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    capability setgid,
+
+    /etc/dpkg/** r,
+
+    /{,usr/}bin/dpkg mr,
+
+    # LP: #2067810
+    /var/lib/dpkg/** r,
+
+  }
+
+  profile ubuntu_distro_info flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    /{,usr/}bin/ubuntu-distro-info mr,
+
+    /usr/share/distro-info/** r,
+
+  }
+
+  profile apt_methods flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/nameservice>
+    include <abstractions/ssl_certs>
+    include <abstractions/user-tmp>
+
+    capability setgid,
+    capability setuid,
+
+    network inet stream,
+    network inet6 stream,
+
+    signal receive set=int peer=ubuntu_pro_esm_cache,
+
+    / r,
+    /etc/dpkg/** r,
+
+    /{,usr/}lib/apt/methods/gpgv mr,
+    /{,usr/}lib/apt/methods/http mr,
+    /{,usr/}lib/apt/methods/https mr,
+    /{,usr/}lib/apt/methods/store mr,
+
+    /usr/share/dpkg/** r,
+
+    # LP: #2067810
+    /var/lib/dpkg/** r,
+
+    /var/lib/ubuntu-advantage/apt-esm/** rwk,
+
+    @{PROC}/@{pid}/cgroup r,
+    @{PROC}/@{pid}/fd/ r,
+
+  }
+
+  profile apt_methods_gpgv flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/nameservice>
+    include <abstractions/ssl_certs>
+    include <abstractions/user-tmp>
+
+    capability setgid,
+    capability setuid,
+
+    signal receive set=int peer=ubuntu_pro_esm_cache,
+
+    / r,
+    /etc/dpkg/** r,
+
+    # there are just too many shell script tools that are called, like head,
+    # tail, cut, sed, etc
+    # LP: #2123870
+    /{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}* mrix,
+
+    /{,usr/}lib/apt/methods/gpgv mr,
+
+    /usr/share/dpkg/** r,
+    /usr/share/keyrings/* r,
+
+    /var/lib/ubuntu-advantage/apt-esm/** r,
+
+    @{PROC}/@{pid}/fd/ r,
+
+    # apt-config command needs these
+    # Note: observed only in xenial tests, but makes sense for all releases
+    /etc/apt/** r,
+    /var/lib/apt/** r,
+
+    # LP: #2067810
+    /var/lib/dpkg/** r,
+
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/ubuntu_pro_esm_cache>
+}
+
+  # these profiles were initially subprofiles of cloud-id, but:
+  # a) that crashes the kernel
+  # https://gitlab.com/apparmor/apparmor/-/issues/346
+  # b) <= bionic doesn't like the // or - chars in profile names
+  # https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac
+
+  profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    ptrace read peer=unconfined,
+
+
+    unix bind addr=@*/bus/systemctl/{,system},
+
+
+    # LP: #2067319
+    /{,usr/}bin/systemctl mr,
+
+    /run/systemd/private rw,
+    /run/systemd/** r,
+
+    @{PROC}/cmdline r,
+    # GH: #3119
+    @{PROC}/1/* r,
+    @{PROC}/@{pid}/stat r,
+    @{PROC}/sys/kernel/osrelease r,
+    # GH: 3119
+    /sys/firmware/efi/efivars/** r,
+  }
+
+  profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    capability sys_ptrace,
+
+    ptrace read peer=unconfined,
+
+    /{,usr/}bin/systemd-detect-virt mr,
+
+    /run/systemd/** r,
+
+    /sys/devices/virtual/** r,
+    # GH: #3119
+    /sys/firmware/efi/efivars/** r,
+    @{PROC}/@{pid}/status r,
+    @{PROC}/@{pid}/stat r,
+    @{PROC}/1/environ r,
+    @{PROC}/1/sched r,
+    @{PROC}/cmdline r,
+    @{PROC}/1/cmdline r,
+    @{PROC}/sys/kernel/osrelease r,
+
+  }