feat: improve dbus integration for chsh, better handling of generic n…

…eedrestart.
roddhjav · Dec 11, 2024 · 4c56976 · 4c56976
1 parent 3a407cb
commit 4c56976
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 3 deletions.
diff --git a/.github/local/needrestart b/.github/local/needrestart
@@ -0,0 +1,2 @@
+
+  /var/lib/waagent/** r,
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -94,6 +94,7 @@ jobs:
           sudo apt-get install -y \
             apparmor-profiles apparmor-utils \
             bats bats-support
+          sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart
 
       - name: Install apparmor.d
         run: |

diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh
@@ -10,18 +10,24 @@ include <tunables/global>
 @{exec_path} = @{bin}/chsh
 profile chsh @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/authentication>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
   capability audit_write,
   capability chown,
   capability fsetid,
+  capability net_admin,
   capability setuid,
 
   network netlink raw,
 
+  unix type=stream addr=@@{udbus}/bus/chsh/system,
+
+  #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
+
   @{exec_path} mr,
 
   /etc/shells r,

diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart
@@ -26,6 +26,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
+  @{bin}/*                                 r,
   @{sh_path}                               rix,
   @{bin}/dpkg-query                        rpx,
   @{bin}/fail2ban-server                   rPx,
@@ -42,8 +43,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   @{lib}/needrestart/*                     rPx,
   /usr/share/debconf/frontend              rix,
 
-  @{bin}/networkd-dispatcher r,
-  @{bin}/gettext.sh r,
   /usr/share/needrestart/{,**} r,
   /usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
 

diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
@@ -93,6 +93,7 @@ profile snapd @{exec_path} {
   @{lib_dirs}/snapd/snap-update-ns   rPx,
 
   /usr/share/bash-completion/{,**} r,
+  /usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
   /usr/share/dbus-1/services/*snap* r,
   /usr/share/polkit-1/actions/{,**/} r,