CasperSecurity
| Current Path : /etc/apparmor.d/ |
|
|
| Current File : //etc/apparmor.d/ubuntu_pro_esm_cache |
abi <abi/3.0>,
include <tunables/global>
# attach_disconnected is needed in all profiles defined here because this
# service runs with systemd's PrivateTmp=true
profile ubuntu_pro_esm_cache flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/python>
include <abstractions/user-tmp>
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
signal send set=int peer=ubuntu_pro_esm_cache//apt_methods,
signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv,
/etc/apt/** r,
/etc/machine-id r,
/etc/ubuntu-advantage/uaclient.conf r,
# GH: #3109
# Allow reading the os-release file (possibly a symlink to /usr/lib).
/{etc/,usr/lib/,lib/}os-release r,
/run/ubuntu-advantage/ rw,
/run/ubuntu-advantage/** rw,
/run/systemd/container/ r,
/run/systemd/container/** r,
/{,usr/}bin/apt mrix,
/{,usr/}bin/apt-cache mrix,
/{,usr/}bin/ischroot mrix,
/{,usr/}bin/python3.{1,}[0-9] mrix,
# LP: #2067319
/{,usr/}bin/uname mrix,
/{,usr/}bin/cloud-id Cx -> cloud_id,
# LP: #2067319
/{,usr/}bin/ps Cx -> ps,
/{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
/{,usr/}bin/dpkg Cx -> dpkg,
/{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info,
/{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv,
/{,usr/}lib/apt/methods/http Cx -> apt_methods,
/{,usr/}lib/apt/methods/https Cx -> apt_methods,
/{,usr/}lib/apt/methods/store Cx -> apt_methods,
# when there is no status.json cached, esm-cache.service will invoke "snap status"
/{,usr/}bin/snap PUx,
/usr/share/dpkg/** r,
/usr/share/keyrings/* r,
/var/cache/apt/** rw,
/var/lib/apt/** r,
/var/lib/dpkg/** r,
/var/lib/ubuntu-advantage/** rwk,
/var/log/ubuntu-advantage.log rw,
@{PROC}/@{pid}/fd/ r,
@{PROC}/1/cgroup r,
@{PROC}/version_signature r,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/osrelease r,
profile ps flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
capability sys_ptrace,
# GH: #3079
capability dac_read_search,
capability dac_override,
# GH: #3119
ptrace (read,trace),
# LP: #2067319
/{,usr/}bin/ps mrix,
/dev/tty r,
@{PROC}/ r,
@{PROC}/@{pid}/** r,
@{PROC}/uptime r,
@{PROC}/sys/kernel/** r,
# GH: #3079
@{PROC}/tty/drivers r,
/sys/devices/system/node/ r,
/sys/devices/system/node/** r,
}
profile cloud_id flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
include <abstractions/python>
ptrace read peer=unconfined,
/etc/cloud/** r,
/etc/apt/** r,
/etc/apport/** r,
@{PROC}/@{pid}/fd/ r,
@{PROC}/cmdline r,
@{PROC}/1/environ r,
@{PROC}/1/cmdline r,
@{PROC}/@{pid}/status r,
/run/cloud-init/** r,
/{,usr/}bin/ r,
/{,usr/}bin/cloud-id r,
/{,usr/}bin/python3.{1,}[0-9] mrix,
# LP: #2067319
/{,usr/}bin/uname mrix,
/usr/share/dpkg/** r,
# workarounds for
# https://gitlab.com/apparmor/apparmor/-/issues/346
# LP: #2067319
/{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl,
/{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
/var/lib/cloud/** r,
}
profile dpkg flags=(attach_disconnected) {
include <abstractions/base>
capability setgid,
/etc/dpkg/** r,
/{,usr/}bin/dpkg mr,
# LP: #2067810
/var/lib/dpkg/** r,
}
profile ubuntu_distro_info flags=(attach_disconnected) {
include <abstractions/base>
/{,usr/}bin/ubuntu-distro-info mr,
/usr/share/distro-info/** r,
}
profile apt_methods flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include <abstractions/user-tmp>
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
signal receive set=int peer=ubuntu_pro_esm_cache,
/ r,
/etc/dpkg/** r,
/{,usr/}lib/apt/methods/gpgv mr,
/{,usr/}lib/apt/methods/http mr,
/{,usr/}lib/apt/methods/https mr,
/{,usr/}lib/apt/methods/store mr,
/usr/share/dpkg/** r,
# LP: #2067810
/var/lib/dpkg/** r,
/var/lib/ubuntu-advantage/apt-esm/** rwk,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/fd/ r,
}
profile apt_methods_gpgv flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include <abstractions/user-tmp>
capability setgid,
capability setuid,
signal receive set=int peer=ubuntu_pro_esm_cache,
/ r,
/etc/dpkg/** r,
# there are just too many shell script tools that are called, like head,
# tail, cut, sed, etc
/{,usr/}bin/* mrix,
/{,usr/}lib/apt/methods/gpgv mr,
/usr/share/dpkg/** r,
/usr/share/keyrings/* r,
/var/lib/ubuntu-advantage/apt-esm/** r,
@{PROC}/@{pid}/fd/ r,
# apt-config command needs these
# Note: observed only in xenial tests, but makes sense for all releases
/etc/apt/** r,
/var/lib/apt/** r,
# LP: #2067810
/var/lib/dpkg/** r,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/ubuntu_pro_esm_cache>
}
# these profiles were initially subprofiles of cloud-id, but:
# a) that crashes the kernel
# https://gitlab.com/apparmor/apparmor/-/issues/346
# b) <= bionic doesn't like the // or - chars in profile names
# https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac
profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) {
include <abstractions/base>
capability net_admin,
capability sys_ptrace,
ptrace read peer=unconfined,
# LP: #2067319
/{,usr/}bin/systemctl mr,
/run/systemd/private rw,
/run/systemd/** r,
@{PROC}/cmdline r,
# GH: #3119
@{PROC}/1/* r,
@{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/osrelease r,
# GH: 3119
/sys/firmware/efi/efivars/** r,
}
profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) {
include <abstractions/base>
capability sys_ptrace,
ptrace read peer=unconfined,
/{,usr/}bin/systemd-detect-virt mr,
/run/systemd/** r,
/sys/devices/virtual/** r,
# GH: #3119
/sys/firmware/efi/efivars/** r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/stat r,
@{PROC}/1/environ r,
@{PROC}/1/sched r,
@{PROC}/cmdline r,
@{PROC}/1/cmdline r,
@{PROC}/sys/kernel/osrelease r,
}