0x1949 Team - FAZEMRX - MANAGER

Edit File: ubuntu_pro_esm_cache

abi <abi/3.0>, include <tunables/global> # attach_disconnected is needed in all profiles defined here because this # service runs with systemd's PrivateTmp=true profile ubuntu_pro_esm_cache flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/openssl> include <abstractions/python> include <abstractions/user-tmp> capability chown, capability dac_override, capability dac_read_search, capability fowner, capability kill, capability setgid, capability setuid, signal send set=int peer=ubuntu_pro_esm_cache//apt_methods, signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv, /etc/apt/** r, /etc/machine-id r, /etc/ubuntu-advantage/uaclient.conf r, # GH: #3109 # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/,lib/}os-release r, /run/ubuntu-advantage/ rw, /run/ubuntu-advantage/** rw, /run/systemd/container/ r, /run/systemd/container/** r, /{,usr/}bin/apt mrix, /{,usr/}bin/apt-cache mrix, /{,usr/}bin/ischroot mrix, /{,usr/}bin/python3.{1,}[0-9] mrix, # LP: #2067319 /{,usr/}bin/uname mrix, /{,usr/}bin/cloud-id Cx -> cloud_id, # LP: #2067319 /{,usr/}bin/ps Cx -> ps, /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt, /{,usr/}bin/dpkg Cx -> dpkg, /{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info, /{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv, /{,usr/}lib/apt/methods/http Cx -> apt_methods, /{,usr/}lib/apt/methods/https Cx -> apt_methods, /{,usr/}lib/apt/methods/store Cx -> apt_methods, # when there is no status.json cached, esm-cache.service will invoke "snap status" /{,usr/}bin/snap PUx, /usr/share/dpkg/** r, /usr/share/keyrings/* r, /var/cache/apt/** rw, /var/lib/apt/** r, /var/lib/dpkg/** r, /var/lib/ubuntu-advantage/** rwk, /var/log/ubuntu-advantage.log rw, @{PROC}/@{pid}/fd/ r, @{PROC}/1/cgroup r, @{PROC}/version_signature r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/osrelease r, profile ps flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> capability sys_ptrace, # GH: #3079 capability dac_read_search, capability dac_override, # GH: #3119 ptrace (read,trace), # LP: #2067319 /{,usr/}bin/ps mrix, /dev/tty r, @{PROC}/ r, @{PROC}/@{pid}/** r, @{PROC}/uptime r, @{PROC}/sys/kernel/** r, # GH: #3079 @{PROC}/tty/drivers r, /sys/devices/system/node/ r, /sys/devices/system/node/** r, } profile cloud_id flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/python> ptrace read peer=unconfined, /etc/cloud/** r, /etc/apt/** r, /etc/apport/** r, /etc/ssl/openssl.cnf r, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/1/environ r, @{PROC}/1/cmdline r, @{PROC}/@{pid}/status r, /run/cloud-init/** r, /{,usr/}bin/ r, /{,usr/}bin/cloud-id r, /{,usr/}bin/python3.{1,}[0-9] mrix, # LP: #2067319 /{,usr/}bin/uname mrix, /usr/share/dpkg/** r, # workarounds for # https://gitlab.com/apparmor/apparmor/-/issues/346 # LP: #2067319 /{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl, /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt, /var/lib/cloud/** r, } profile dpkg flags=(attach_disconnected) { include <abstractions/base> capability setgid, /etc/dpkg/** r, /{,usr/}bin/dpkg mr, # LP: #2067810 /var/lib/dpkg/** r, } profile ubuntu_distro_info flags=(attach_disconnected) { include <abstractions/base> /{,usr/}bin/ubuntu-distro-info mr, /usr/share/distro-info/** r, } profile apt_methods flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include <abstractions/user-tmp> capability setgid, capability setuid, network inet stream, network inet6 stream, signal receive set=int peer=ubuntu_pro_esm_cache, / r, /etc/dpkg/** r, /{,usr/}lib/apt/methods/gpgv mr, /{,usr/}lib/apt/methods/http mr, /{,usr/}lib/apt/methods/https mr, /{,usr/}lib/apt/methods/store mr, /usr/share/dpkg/** r, # LP: #2067810 /var/lib/dpkg/** r, /var/lib/ubuntu-advantage/apt-esm/** rwk, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fd/ r, } profile apt_methods_gpgv flags=(attach_disconnected) { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include <abstractions/user-tmp> capability setgid, capability setuid, signal receive set=int peer=ubuntu_pro_esm_cache, / r, /etc/dpkg/** r, # there are just too many shell script tools that are called, like head, # tail, cut, sed, etc /{,usr/}bin/* mrix, /{,usr/}lib/apt/methods/gpgv mr, /usr/share/dpkg/** r, /usr/share/keyrings/* r, /var/lib/ubuntu-advantage/apt-esm/** r, @{PROC}/@{pid}/fd/ r, # apt-config command needs these # Note: observed only in xenial tests, but makes sense for all releases /etc/apt/** r, /var/lib/apt/** r, # LP: #2067810 /var/lib/dpkg/** r, } # Site-specific additions and overrides. See local/README for details. #include <local/ubuntu_pro_esm_cache> } # these profiles were initially subprofiles of cloud-id, but: # a) that crashes the kernel # https://gitlab.com/apparmor/apparmor/-/issues/346 # b) <= bionic doesn't like the // or - chars in profile names # https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) { include <abstractions/base> capability net_admin, capability sys_ptrace, ptrace read peer=unconfined, # LP: #2067319 /{,usr/}bin/systemctl mr, /run/systemd/private rw, /run/systemd/** r, @{PROC}/cmdline r, # GH: #3119 @{PROC}/1/* r, @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/osrelease r, # GH: 3119 /sys/firmware/efi/efivars/** r, } profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) { include <abstractions/base> capability sys_ptrace, ptrace read peer=unconfined, /{,usr/}bin/systemd-detect-virt mr, /run/systemd/** r, /sys/devices/virtual/** r, # GH: #3119 /sys/firmware/efi/efivars/** r, @{PROC}/@{pid}/status r, @{PROC}/@{pid}/stat r, @{PROC}/1/environ r, @{PROC}/1/sched r, @{PROC}/cmdline r, @{PROC}/1/cmdline r, @{PROC}/sys/kernel/osrelease r, }