profiles: Give all profiles read access to their attachment path

Grant explicit read permission on each profile’s attachment path. This avoid issues when running them from a confined environment and makes test_profile.sh pass. Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
2025-08-22 10:07:12 +00:00 · 2025-04-17 21:16:15 +02:00 · 2025-04-17 21:16:15 +02:00 · 072d17a237
commit 072d17a237
parent 68c0dddf23
33 changed files with 65 additions and 3 deletions
--- a/profiles/apparmor.d/Xorg
+++ b/profiles/apparmor.d/Xorg
@ -58,6 +58,8 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
  /{,usr/}bin/{bash,dash,sh} ix,
  /usr/bin/xkbcomp           ix,

+  /usr/lib/xorg/Xorg      mr,
+
  @{PROC}/cmdline         r,
  @{PROC}/@{pid}/cmdline  r,
  @{PROC}/ioports         r,
--- a/profiles/apparmor.d/alsamixer
+++ b/profiles/apparmor.d/alsamixer
@ -10,6 +10,8 @@ profile alsamixer /{usr,}/bin/alsamixer {

    include <abstractions/dbus-session-strict>

+    /{usr,}/bin/alsamixer mr,
+
    @{sys}/devices/virtual/dmi/id/sys_vendor r,

    @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/profiles/apparmor.d/babeld
+++ b/profiles/apparmor.d/babeld
@ -17,6 +17,7 @@ profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>

+  /usr/lib/frr/babeld mr,
  @{run}/frr/babel-state w,

  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/bfdd
+++ b/profiles/apparmor.d/bfdd
@ -20,6 +20,8 @@ profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) {
  capability net_raw,
  capability sys_admin,

+
+  /usr/lib/frr/bfdd mr,
  @{run}/netns/* r,

  @{run}/frr/bfdd.sock w,
--- a/profiles/apparmor.d/bgpd
+++ b/profiles/apparmor.d/bgpd
@ -21,6 +21,8 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) {
  capability net_raw,
  capability sys_admin,

+  /usr/lib/frr/bgpd mr,
+
  @{run}/netns/* r,

  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/profiles/apparmor.d/bin.ping
+++ b/profiles/apparmor.d/bin.ping
@ -22,7 +22,7 @@ profile ping /{usr/,}bin/{,iputils-}ping {
  network inet raw,
  network inet6 raw,

-  /{,usr/}bin/{,iputils-}ping mixr,
+  /{usr/,}bin/{,iputils-}ping mixr,
  /etc/modules.conf r,
  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

--- a/profiles/apparmor.d/eigrpd
+++ b/profiles/apparmor.d/eigrpd
@ -19,6 +19,8 @@ profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) {

  capability net_raw,

+  /usr/lib/frr/eigrpd mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/eigrpd>
 }
--- a/profiles/apparmor.d/fabricd
+++ b/profiles/apparmor.d/fabricd
@ -17,6 +17,8 @@ profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>

+  /usr/lib/frr/fabricd mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/fabricd>
 }
--- a/profiles/apparmor.d/isisd
+++ b/profiles/apparmor.d/isisd
@ -20,6 +20,8 @@ profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) {

  capability net_raw,

+  /usr/lib/frr/isisd mr,
+
  /var/lib/frr/ r, 
  /var/lib/frr/isisd.json{,.sav} rw,

--- a/profiles/apparmor.d/nhrpd
+++ b/profiles/apparmor.d/nhrpd
@ -20,6 +20,7 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) {
  capability net_raw,
  capability net_admin,

+  /usr/lib/frr/nhrpd mr,
  /usr/bin/dash ix,
  @{PROC}/sys/net/ipv4/conf/*/send_redirects w,

--- a/profiles/apparmor.d/ospf6d
+++ b/profiles/apparmor.d/ospf6d
@ -21,6 +21,8 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) {
  capability net_raw,
  capability sys_admin,

+  /usr/lib/frr/ospf6d mr,
+
  @{run}/netns/* r,

  @{run}/frr/ospf6d-gr.json w,
--- a/profiles/apparmor.d/ospfd
+++ b/profiles/apparmor.d/ospfd
@ -21,6 +21,8 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) {
  capability net_raw,
  capability sys_admin,

+  /usr/lib/frr/ospfd mr,
+
  @{run}/netns/* r,

  @{run}/frr/ospfd-gr.json w,
--- a/profiles/apparmor.d/pathd
+++ b/profiles/apparmor.d/pathd
@ -17,6 +17,8 @@ profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>

+  /usr/lib/frr/pathd mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/pathd>
 }
--- a/profiles/apparmor.d/pbrd
+++ b/profiles/apparmor.d/pbrd
@ -17,6 +17,8 @@ profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>

+  /usr/lib/frr/pbrd mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/pbrd>
 }
--- a/profiles/apparmor.d/pim6d
+++ b/profiles/apparmor.d/pim6d
@ -20,6 +20,8 @@ profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) {
  capability net_raw,
  capability net_admin,

+  /usr/lib/frr/pim6d mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/pim6d>
 }
--- a/profiles/apparmor.d/pimd
+++ b/profiles/apparmor.d/pimd
@ -20,6 +20,8 @@ profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) {
  capability net_raw,
  capability net_admin,

+  /usr/lib/frr/pimd mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/pimd>
 }
--- a/profiles/apparmor.d/ripd
+++ b/profiles/apparmor.d/ripd
@ -18,6 +18,8 @@ profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) {
  include <abstractions/frr>
  include <abstractions/frr-snmp>

+  /usr/lib/frr/ripd mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/ripd>
 }
--- a/profiles/apparmor.d/ripngd
+++ b/profiles/apparmor.d/ripngd
@ -17,6 +17,8 @@ profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>

+  /usr/lib/frr/ripngd mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/ripngd>
 }
--- a/profiles/apparmor.d/staticd
+++ b/profiles/apparmor.d/staticd
@ -17,6 +17,8 @@ profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>
 
+  /usr/lib/frr/staticd mr,
+
  /etc/frr/zebra.conf r,

  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/profiles/apparmor.d/tnftp
+++ b/profiles/apparmor.d/tnftp
@ -29,6 +29,8 @@ profile tnftp /usr/bin/tnftp {
  network inet stream,
  network inet6 stream,

+  /usr/bin/tnftp mr,
+
  # required for the pager (less, more) to work
  file Cx /usr/bin/dash,

--- a/profiles/apparmor.d/transmission
+++ b/profiles/apparmor.d/transmission
@ -17,6 +17,8 @@ profile transmission-daemon /usr/bin/transmission-daemon flags=(complain,attach_
  network inet  stream,
  network inet6 stream,

+  /usr/bin/transmission-daemon mr,
+
  owner @{PROC}/@{pid}/mounts r,
  @{PROC}/sys/kernel/random/uuid r,

@ -42,6 +44,8 @@ profile transmission-cli /usr/bin/transmission-cli flags=(complain) {
  include <abstractions/transmission-common>
  include <abstractions/consoles>

+  /usr/bin/transmission-cli mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/transmission>
  include if exists <local/transmission-cli>
@ -53,6 +57,8 @@ profile transmission-gtk /usr/bin/transmission-gtk flags=(complain,attach_discon
  include <abstractions/dconf>
  include <abstractions/gnome>

+  /usr/bin/transmission-gtk mr,
+
  owner @{run}/user/*/dconf/user w,

  # Site-specific additions and overrides. See local/README for details.
@ -70,6 +76,8 @@ profile transmission-qt /usr/bin/transmission-qt flags=(complain) {
  include <abstractions/qt5>
  include <abstractions/qt5-settings-write>

+  /usr/bin/transmission-qt mr,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/transmission>
  include if exists <local/transmission-qt>
--- a/profiles/apparmor.d/vrrpd
+++ b/profiles/apparmor.d/vrrpd
@ -17,6 +17,7 @@ profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/frr>

+  /usr/lib/frr/vrrpd mr,
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/vrrpd>
 }
--- a/profiles/apparmor.d/wpa_supplicant
+++ b/profiles/apparmor.d/wpa_supplicant
@ -52,6 +52,8 @@ profile wpa_supplicant /usr/sbin/wpa_supplicant {
        interface=org.freedesktop.DBus
        member={AddMatch,GetNameOwner,Hello,ReleaseName,RemoveMatch,RequestName,StartServiceByName},

+  /usr/sbin/wpa_supplicant mr,
+
  owner /dev/rfkill r,
  owner /etc/group r,
  owner /etc/nsswitch.conf r,
--- a/profiles/apparmor.d/zgrep
+++ b/profiles/apparmor.d/zgrep
@ -31,11 +31,10 @@ profile zgrep /usr/bin/{x,}zgrep {
  /usr/bin/rm ix,
  /usr/bin/sed Cx -> sed,
  /usr/bin/xz Cx -> helper,
-  /usr/bin/xzgrep r,
  /usr/bin/zgrep Cx -> helper,
  /usr/bin/zstd Cx -> helper,
  owner /tmp/zgrep* rw,
-  /usr/bin/zgrep r,
+  /usr/bin/{x,}zgrep r,

  deny /etc/nsswitch.conf r,
  deny /etc/passwd r,
--- a/profiles/apparmor.d/znc
+++ b/profiles/apparmor.d/znc
@ -13,6 +13,8 @@ profile znc /usr/bin/znc {

  network tcp,

+  /usr/bin/znc mr,
+
  @{system_share_dirs}/znc/** r,

  owner @{HOME}/.znc/ rw,
--- a/profiles/apparmor/profiles/extras/firefox
+++ b/profiles/apparmor/profiles/extras/firefox
@ -110,6 +110,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
       member=GetAll
       peer=(label=unconfined),

+  @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} mr,
+
  # should maybe be in abstractions
  /etc/ r,
  /etc/mime.types r,
--- a/profiles/apparmor/profiles/extras/firefox.sh
+++ b/profiles/apparmor/profiles/extras/firefox.sh
@ -11,6 +11,8 @@ profile firefox.sh /usr/lib/firefox/firefox.sh {

  deny capability sys_ptrace,

+  /usr/lib/firefox/firefox.sh mr,
+
  /{usr/,}bin/basename rix,
  /{usr/,}bin/bash rix,
  /{usr/,}bin/grep rix,
--- a/profiles/apparmor/profiles/extras/usr.bin.acroread
+++ b/profiles/apparmor/profiles/extras/usr.bin.acroread
@ -26,6 +26,8 @@ include <tunables/global>

  capability dac_override,

+  /usr/X11R6/bin/acroread mr,
+
  /{usr/,}bin/basename mixr,
  /{usr/,}bin/bash mix,
  /{usr/,}bin/cat mixr,
--- a/profiles/apparmor/profiles/extras/usr.bin.svnserve
+++ b/profiles/apparmor/profiles/extras/usr.bin.svnserve
@ -19,6 +19,8 @@ include <tunables/global>
  # network service ;)
  capability net_bind_service,

+  /usr/bin/svnserve mr,
+
  /srv/svn/*/conf/* r,
  /srv/svn/*/format r,
  /srv/svn/*/db/ r,
--- a/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay
+++ b/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay
@ -41,6 +41,7 @@ include <tunables/global>
  @{HOME}/ r,
  @{HOME}/.realplayerrc rw,

+  /usr/lib/RealPlayer10/realplay mr,
  /usr/lib/RealPlayer10/** mr,
  /usr/lib/RealPlayer10/realplay.bin Pxr,
  /usr/lib/firefox/firefox.sh Pxr,
--- a/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10
+++ b/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10
@ -33,6 +33,7 @@ include <tunables/global>
  /usr/lib/GConf/**.so mr,
  /usr/lib/GConf/2/gconfd-2 Pxr,
  /usr/lib64/GConf/2/gconfd-2 Pxr,
+  /usr/lib/evolution-data-server/evolution-data-server-1.10 mr,
  /usr/lib/evolution-data-server/evolution-data-server-* rmix,
  /usr/lib/evolution-data-server*/extensions r,
  /usr/lib/evolution-data-server*/extensions/lib*.so r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd
@ -19,6 +19,8 @@ include <tunables/global>
  @{HOME}/.plan          r,
  @{HOME}/.project       r,

+  /usr/sbin/in.fingerd mr,
+
  /usr/bin/finger        mix,
  /var/log/lastlog       r,
  /{,var/}run/utmp       rk,
--- a/profiles/apparmor/profiles/extras/usr.sbin.oidentd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.oidentd
@ -21,6 +21,8 @@ include <tunables/global>
  capability dac_override,
  capability dac_read_search,

+  /usr/sbin/oidentd mr,
+
  /etc/oidentd.conf        r,
  /etc/oidentd_masq.conf   r,
  @{PROC}/net/tcp          r,