Bug#877581: Ensure our AppArmor policy does not break stuff with Linux 4.14

[intrigeri]

Hi,

intrigeri:
> I've upgraded my system to 4.14 and had to adjust no less than 7 profiles
> *after* applying Christian's patch to abstractions/nameservice.

> They're spread over multiple source packages but I figured it would be
> nice to at least share my tweaks (attached) so anyone affected can
> temporarily apply them locally, and everyone who wants can start
> pushing them to the correct upstream / source package.

Here's a more up-to-date dump.

The torbrowser profile changes probably need to be redone (somewhat
from scratch) on top of the one that's in sid: I'm not running the
profile shipped in Debian currently, but something stricter that I've
sent a PR upstream for. Other than that, everything in there should be
ready to be pushed to the relevant place.

Cheers,
-- 
intrigeri


diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor
index 15601a4a..5e494adc 100644
--- a/apparmor.d/abstractions/tor
+++ b/apparmor.d/abstractions/tor
@@ -6,6 +6,8 @@
   network tcp,
   network udp,
 
+  network unix dgram,
+
   capability chown,
   capability dac_read_search,
   capability fowner,
diff --git a/apparmor.d/libvirt/TEMPLATE.qemu b/apparmor.d/libvirt/TEMPLATE.qemu
index c2f6aa2e..e11b6219 100644
--- a/apparmor.d/libvirt/TEMPLATE.qemu
+++ b/apparmor.d/libvirt/TEMPLATE.qemu
@@ -7,6 +7,8 @@
 profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
   #include <abstractions/libvirt-qemu>
 
+  signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+
--- a/apparmor.d/sbin.dhclient
+++ b/apparmor.d/sbin.dhclient
@@ -16,6 +16,9 @@ profile dhclient /{usr/,}sbin/dhclient {
   network packet,
   network raw,
 
+  network unix dgram,
+  network unix stream,
+
   @{PROC}/[0-9]*/net/ r,
   @{PROC}/[0-9]*/net/** r,
 
diff --git a/apparmor.d/torbrowser.Browser.firefox b/apparmor.d/torbrowser.Browser.firefox
index 1d6421e7..0548cc00 100644
--- a/apparmor.d/torbrowser.Browser.firefox
+++ b/apparmor.d/torbrowser.Browser.firefox
@@ -10,8 +10,15 @@
   # @{HOME}/ r,
 
   #dbus,
+  network netlink raw,
   network tcp,
 
+  network unix seqpacket,
+
+  ptrace (trace) peer=torbrowser_plugin_container,
+
+  signal (send) set=("term") peer=torbrowser_plugin_container,
+
   deny /etc/host.conf r,
   deny /etc/hosts r,
   deny /etc/nsswitch.conf r,
diff --git a/apparmor.d/torbrowser.Browser.plugin-container b/apparmor.d/torbrowser.Browser.plugin-container
index 12140448..5169f866 100644
--- a/apparmor.d/torbrowser.Browser.plugin-container
+++ b/apparmor.d/torbrowser.Browser.plugin-container
@@ -13,6 +13,10 @@ profile torbrowser_plugin_container {
   # owner @{PROC}/@{pid}/fd/ r,
   # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
 
+  signal (receive) set=("term") peer=/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox,
+
+  unix (receive, send) type=seqpacket,
+
   deny /etc/host.conf r,
   deny /etc/hosts r,
   deny /etc/nsswitch.conf r,
@@ -24,6 +28,9 @@ profile torbrowser_plugin_container {
   deny /etc/machine-id r,
   deny /var/lib/dbus/machine-id r,
 
+  /etc/mime.types r,
+  /usr/share/applications/gnome-mimeapps.list r,
+
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/status r,
diff --git a/apparmor.d/usr.bin.pulseaudio b/apparmor.d/usr.bin.pulseaudio
index 20d5bc25..2817ab55 100644
--- a/apparmor.d/usr.bin.pulseaudio
+++ b/apparmor.d/usr.bin.pulseaudio
@@ -25,6 +25,8 @@
   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
   ptrace (read,trace) peer=@{profile_name},
 
+  network unix dgram,
+
   /usr/bin/pulseaudio mixr,
 
   /etc/pulse/ r,
diff --git a/apparmor.d/usr.sbin.cupsd b/apparmor.d/usr.sbin.cupsd
index 053d1c1f..ca884e2d 100644
--- a/apparmor.d/usr.sbin.cupsd
+++ b/apparmor.d/usr.sbin.cupsd
@@ -47,6 +47,8 @@
   network econet dgram,
   network ash dgram,
 
+  network unix stream,
+
   /{usr/,}bin/bash ixr,
   /{usr/,}bin/dash ixr,
   /{usr/,}bin/hostname ixr,
diff --git a/apparmor.d/usr.sbin.haveged b/apparmor.d/usr.sbin.haveged
index 0e611388..ad1bee6d 100644
--- a/apparmor.d/usr.sbin.haveged
+++ b/apparmor.d/usr.sbin.haveged
@@ -7,6 +7,8 @@
   # Required for ioctl RNDADDENTROPY
   capability sys_admin,
 
+  network unix stream,
+
   owner @{PROC}/@{pid}/status r,
 
   @{PROC}/sys/kernel/osrelease r,
diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd
index 4c4a751c..9d7b7e95 100644
--- a/apparmor.d/usr.sbin.libvirtd
+++ b/apparmor.d/usr.sbin.libvirtd
@@ -30,6 +30,8 @@
   # Needed for vfio
   capability sys_resource,
 
+  mount,
+
   network inet stream,
   network inet dgram,
   network inet6 stream,
@@ -37,9 +39,17 @@
   network packet dgram,
   network packet raw,
 
+  network netlink raw,
+  network unix dgram,
+  network unix stream,
+
   ptrace (trace) peer=unconfined,
   ptrace (trace) peer=/usr/sbin/libvirtd,
   ptrace (trace) peer=libvirt-*,
+  ptrace (trace) peer=/usr/sbin/dnsmasq,
+
+  signal (send) set=("hup") peer=/usr/sbin/dnsmasq,
+  signal (send) set=("term") peer=libvirt-*,
 
   # Very lenient profile for libvirtd since we want to first focus on confining
   # the guests. Guests will have a very restricted profile.