From b84ee5c2468870057e49c52efc0b45d689f95477 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Mon, 11 Mar 2024 16:35:58 +0100 Subject: [PATCH] tools: Add AppArmor profile for cockpit-desktop Ubuntu 24.04 LTS restricts user name spaces by default. Add an AppArmor profile for cockpit-desktop to allow it. This is a no-op for older releases. See https://launchpad.net/bugs/2046477 for details. --- tools/Makefile-tools.am | 5 ++++- tools/apparmor.d/cockpit-desktop | 10 ++++++++++ tools/debian/cockpit-ws.install | 1 + tools/debian/cockpit-ws.postinst | 5 +++++ 4 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 tools/apparmor.d/cockpit-desktop diff --git a/tools/Makefile-tools.am b/tools/Makefile-tools.am index d5685a846f2f..ec4e7c115b7b 100644 --- a/tools/Makefile-tools.am +++ b/tools/Makefile-tools.am @@ -22,4 +22,7 @@ coverage: @echo "file://$(abs_top_builddir)/tools/coverage/index.html" endif -EXTRA_DIST += pkg/apps/content-security-policy.override +EXTRA_DIST += \ + pkg/apps/content-security-policy.override \ + tools/apparmor.d/cockpit-desktop \ + $(NULL) diff --git a/tools/apparmor.d/cockpit-desktop b/tools/apparmor.d/cockpit-desktop new file mode 100644 index 000000000000..02ee72a81ca1 --- /dev/null +++ b/tools/apparmor.d/cockpit-desktop @@ -0,0 +1,10 @@ +abi , + +include + +profile cockpit-desktop /usr/lib/cockpit/cockpit-desktop flags=(unconfined) { + userns, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install index 44f0cd071324..489d8d790d70 100644 --- a/tools/debian/cockpit-ws.install +++ b/tools/debian/cockpit-ws.install @@ -1,5 +1,6 @@ etc/cockpit/ws-certs.d etc/pam.d/cockpit +tools/apparmor.d/cockpit-desktop etc/apparmor.d/ ${env:deb_systemdsystemunitdir}/cockpit.service ${env:deb_systemdsystemunitdir}/cockpit-motd.service ${env:deb_systemdsystemunitdir}/cockpit.socket diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst index 1e497bd160d0..d07dcba77774 100644 --- a/tools/debian/cockpit-ws.postinst +++ b/tools/debian/cockpit-ws.postinst @@ -21,6 +21,11 @@ if [ -d /run/systemd/system ] && [ -n "$2" ]; then deb-systemd-invoke try-restart cockpit.service >/dev/null || true fi +# update AppArmor profile +if [ "$1" = "configure" ] && aa-enabled --quiet 2>/dev/null; then + apparmor_parser -r -T -W /etc/apparmor.d/cockpit-desktop || true +fi + # set up dynamic motd/issue symlinks on first-time install or upgrades from < 244 (which moved them out of the .deb) if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 244; then mkdir -p /etc/motd.d /etc/issue.d