303 lines
6.9 KiB
Plaintext
303 lines
6.9 KiB
Plaintext
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
# attach_disconnected is needed in all profiles defined here because this
|
|
# service runs with systemd's PrivateTmp=true
|
|
|
|
profile ubuntu_pro_esm_cache flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
include <abstractions/openssl>
|
|
include <abstractions/python>
|
|
include <abstractions/user-tmp>
|
|
|
|
capability chown,
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability fowner,
|
|
capability kill,
|
|
capability setgid,
|
|
capability setuid,
|
|
|
|
signal send set=int peer=ubuntu_pro_esm_cache//apt_methods,
|
|
signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv,
|
|
|
|
/etc/apt/** r,
|
|
/etc/machine-id r,
|
|
/etc/ubuntu-advantage/uaclient.conf r,
|
|
# GH: #3109
|
|
# Allow reading the os-release file (possibly a symlink to /usr/lib).
|
|
/{etc/,usr/lib/,lib/}os-release r,
|
|
|
|
/run/ubuntu-advantage/ rw,
|
|
/run/ubuntu-advantage/** rw,
|
|
|
|
/run/systemd/container/ r,
|
|
/run/systemd/container/** r,
|
|
|
|
/{,usr/}bin/apt mrix,
|
|
/{,usr/}bin/apt-cache mrix,
|
|
/{,usr/}bin/ischroot mrix,
|
|
/{,usr/}bin/python3.{1,}[0-9] mrix,
|
|
# LP: #2067319, #2123870
|
|
/{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}uname mrix,
|
|
|
|
/{,usr/}bin/cloud-id Cx -> cloud_id,
|
|
# LP: #2067319
|
|
/{,usr/}bin/ps Cx -> ps,
|
|
/{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
|
|
/{,usr/}bin/dpkg Cx -> dpkg,
|
|
/{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info,
|
|
/{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv,
|
|
/{,usr/}lib/apt/methods/http Cx -> apt_methods,
|
|
/{,usr/}lib/apt/methods/https Cx -> apt_methods,
|
|
/{,usr/}lib/apt/methods/store Cx -> apt_methods,
|
|
# when there is no status.json cached, esm-cache.service will invoke "snap status"
|
|
/{,usr/}bin/snap PUx,
|
|
|
|
/usr/share/dpkg/** r,
|
|
/usr/share/keyrings/* r,
|
|
|
|
/var/cache/apt/** rw,
|
|
|
|
/var/lib/apt/** r,
|
|
/var/lib/dpkg/** r,
|
|
/var/lib/ubuntu-advantage/** rwk,
|
|
|
|
/var/log/ubuntu-advantage.log rw,
|
|
|
|
@{PROC}/@{pid}/fd/ r,
|
|
@{PROC}/1/cgroup r,
|
|
@{PROC}/version_signature r,
|
|
@{PROC}/@{pid}/mountinfo r,
|
|
@{PROC}/@{pid}/status r,
|
|
@{PROC}/@{pid}/stat r,
|
|
@{PROC}/sys/kernel/osrelease r,
|
|
|
|
|
|
|
|
profile ps flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
|
|
capability sys_ptrace,
|
|
|
|
# GH: #3079
|
|
capability dac_read_search,
|
|
capability dac_override,
|
|
|
|
# GH: #3119
|
|
ptrace (read,trace),
|
|
|
|
# LP: #2067319
|
|
/{,usr/}bin/ps mrix,
|
|
|
|
/dev/tty r,
|
|
|
|
@{PROC}/ r,
|
|
@{PROC}/@{pid}/** r,
|
|
@{PROC}/uptime r,
|
|
@{PROC}/sys/kernel/** r,
|
|
# GH: #3079
|
|
@{PROC}/tty/drivers r,
|
|
/sys/devices/system/node/ r,
|
|
/sys/devices/system/node/** r,
|
|
}
|
|
|
|
profile cloud_id flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
include <abstractions/openssl>
|
|
include <abstractions/python>
|
|
|
|
ptrace read peer=unconfined,
|
|
|
|
/etc/cloud/** r,
|
|
/etc/apt/** r,
|
|
/etc/apport/** r,
|
|
|
|
@{PROC}/@{pid}/fd/ r,
|
|
@{PROC}/cmdline r,
|
|
@{PROC}/1/environ r,
|
|
@{PROC}/1/cmdline r,
|
|
@{PROC}/@{pid}/status r,
|
|
|
|
/run/cloud-init/** r,
|
|
|
|
/{,usr/}bin/ r,
|
|
/{,usr/}bin/cloud-id r,
|
|
/{,usr/}bin/python3.{1,}[0-9] mrix,
|
|
# LP: #2067319, #2123870
|
|
/{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}uname mrix,
|
|
|
|
/usr/share/dpkg/** r,
|
|
|
|
# workarounds for
|
|
# https://gitlab.com/apparmor/apparmor/-/issues/346
|
|
# LP: #2067319
|
|
/{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl,
|
|
/{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
|
|
|
|
/var/lib/cloud/** r,
|
|
|
|
|
|
|
|
}
|
|
|
|
profile dpkg flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
|
|
capability setgid,
|
|
|
|
/etc/dpkg/** r,
|
|
|
|
/{,usr/}bin/dpkg mr,
|
|
|
|
# LP: #2067810
|
|
/var/lib/dpkg/** r,
|
|
|
|
}
|
|
|
|
profile ubuntu_distro_info flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
|
|
/{,usr/}bin/ubuntu-distro-info mr,
|
|
|
|
/usr/share/distro-info/** r,
|
|
|
|
}
|
|
|
|
profile apt_methods flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
include <abstractions/ssl_certs>
|
|
include <abstractions/user-tmp>
|
|
|
|
capability setgid,
|
|
capability setuid,
|
|
|
|
network inet stream,
|
|
network inet6 stream,
|
|
|
|
signal receive set=int peer=ubuntu_pro_esm_cache,
|
|
|
|
/ r,
|
|
/etc/dpkg/** r,
|
|
|
|
/{,usr/}lib/apt/methods/gpgv mr,
|
|
/{,usr/}lib/apt/methods/http mr,
|
|
/{,usr/}lib/apt/methods/https mr,
|
|
/{,usr/}lib/apt/methods/store mr,
|
|
|
|
/usr/share/dpkg/** r,
|
|
|
|
# LP: #2067810
|
|
/var/lib/dpkg/** r,
|
|
|
|
/var/lib/ubuntu-advantage/apt-esm/** rwk,
|
|
|
|
@{PROC}/@{pid}/cgroup r,
|
|
@{PROC}/@{pid}/fd/ r,
|
|
|
|
}
|
|
|
|
profile apt_methods_gpgv flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/nameservice>
|
|
include <abstractions/ssl_certs>
|
|
include <abstractions/user-tmp>
|
|
|
|
capability setgid,
|
|
capability setuid,
|
|
|
|
signal receive set=int peer=ubuntu_pro_esm_cache,
|
|
|
|
/ r,
|
|
/etc/dpkg/** r,
|
|
|
|
# there are just too many shell script tools that are called, like head,
|
|
# tail, cut, sed, etc
|
|
# LP: #2123870
|
|
/{bin/,usr/bin/,usr/bin/gnu,usr/lib/cargo/bin/coreutils/}* mrix,
|
|
|
|
/{,usr/}lib/apt/methods/gpgv mr,
|
|
|
|
/usr/share/dpkg/** r,
|
|
/usr/share/keyrings/* r,
|
|
|
|
/var/lib/ubuntu-advantage/apt-esm/** r,
|
|
|
|
@{PROC}/@{pid}/fd/ r,
|
|
|
|
# apt-config command needs these
|
|
# Note: observed only in xenial tests, but makes sense for all releases
|
|
/etc/apt/** r,
|
|
/var/lib/apt/** r,
|
|
|
|
# LP: #2067810
|
|
/var/lib/dpkg/** r,
|
|
|
|
}
|
|
|
|
# Site-specific additions and overrides. See local/README for details.
|
|
#include <local/ubuntu_pro_esm_cache>
|
|
}
|
|
|
|
# these profiles were initially subprofiles of cloud-id, but:
|
|
# a) that crashes the kernel
|
|
# https://gitlab.com/apparmor/apparmor/-/issues/346
|
|
# b) <= bionic doesn't like the // or - chars in profile names
|
|
# https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac
|
|
|
|
profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
|
|
capability net_admin,
|
|
capability sys_ptrace,
|
|
|
|
ptrace read peer=unconfined,
|
|
|
|
|
|
unix bind addr=@*/bus/systemctl/{,system},
|
|
|
|
|
|
# LP: #2067319
|
|
/{,usr/}bin/systemctl mr,
|
|
|
|
/run/systemd/private rw,
|
|
/run/systemd/** r,
|
|
|
|
@{PROC}/cmdline r,
|
|
# GH: #3119
|
|
@{PROC}/1/* r,
|
|
@{PROC}/@{pid}/stat r,
|
|
@{PROC}/sys/kernel/osrelease r,
|
|
# GH: 3119
|
|
/sys/firmware/efi/efivars/** r,
|
|
}
|
|
|
|
profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
|
|
capability sys_ptrace,
|
|
|
|
ptrace read peer=unconfined,
|
|
|
|
/{,usr/}bin/systemd-detect-virt mr,
|
|
|
|
/run/systemd/** r,
|
|
|
|
/sys/devices/virtual/** r,
|
|
# GH: #3119
|
|
/sys/firmware/efi/efivars/** r,
|
|
@{PROC}/@{pid}/status r,
|
|
@{PROC}/@{pid}/stat r,
|
|
@{PROC}/1/environ r,
|
|
@{PROC}/1/sched r,
|
|
@{PROC}/cmdline r,
|
|
@{PROC}/1/cmdline r,
|
|
@{PROC}/sys/kernel/osrelease r,
|
|
|
|
} |