From 4a0f31c377d3d8862dd8db16742b38a3c36c71fc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 13 Nov 2024 14:22:04 +0000
Subject: [PATCH] feat: profiles and integration tests improvments.

---
 .github/workflows/main.yml               | 9 ++++++++-
 apparmor.d/abstractions/app/sudo         | 7 +++----
 apparmor.d/abstractions/attached/base    | 2 ++
 apparmor.d/groups/bus/dbus-system        | 2 +-
 apparmor.d/groups/network/NetworkManager | 5 +++--
 apparmor.d/groups/network/netplan.script | 6 ++++++
 apparmor.d/groups/ssh/ssh-keygen         | 1 +
 apparmor.d/groups/systemd/hostnamectl    | 1 +
 apparmor.d/profiles-s-z/sudo             | 2 --
 tests/bats/homectl.bats                  | 1 +
 tests/bats/snap.bats                     | 1 -
 tests/bats/systemd-id128.bats            | 6 ------
 tests/requirements.sh                    | 2 +-
 13 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 59449cb4c..0c61e1b2c 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -15,6 +15,7 @@ jobs:
 
   build:
     runs-on: ${{ matrix.os }}
+    needs: check
     strategy:
       matrix:
         os:
@@ -93,7 +94,6 @@ jobs:
           sudo apt-get install -y \
             apparmor-profiles apparmor-utils \
             bats bats-support
-          bash tests/requirements.sh
 
       - name: Install apparmor.d
         run: |
@@ -101,6 +101,13 @@ jobs:
           sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
           sudo systemctl restart apparmor.service
 
+      - name: Github Action specific requirements
+        run: |
+          bash tests/requirements.sh
+          sudo systemctl restart snapd
+          sudo systemctl restart systemd-hostnamed
+          sudo systemctl restart systemd-logind
+
       - name: Run the bats integration tests
         run: |
           make bats
diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index 385ded540..4e63b976c 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -24,10 +24,9 @@
 
   network netlink raw,   # PAM
 
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.logi1.Manager
-       member=CreateSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+  unix bind type=stream addr=@@{hex16}/bus/sudo/system,
+
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
 
   dbus (send receive) bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd.Manager
diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base
index 1f37de00d..9a53d1548 100644
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@@ -7,8 +7,10 @@
 
   abi <abi/4.0>,
 
+  @{att}/@{run}/systemd/journal/dev-log w,
   @{att}/@{run}/systemd/journal/socket w,
 
+  deny /apparmor/.null rw,
   deny @{att}/apparmor/.null rw,
 
   include if exists <abstractions/attached/base.d>
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index 6ef4e44ea..e4eef2753 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -33,7 +33,7 @@ profile dbus-system flags=(attach_disconnected) {
 
   ptrace (read) peer=@{p_systemd},
 
-  #aa:dbus own bus=system name=org.freedesktop.DBus
+  #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index de4644bdd..f5b9e921d 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -128,10 +128,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+rfkill:* r,
   @{run}/udev/data/n@{int} r,
 
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/virtual/net/{,**} r,
   @{sys}/devices/@{pci}/net/*/{,**} r,
   @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r,
+  @{sys}/devices/**/@{uuid}/net/*/{,**} r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/virtual/net/{,**} r,
 
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/environ r,
diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script
index 7f558a1c4..2331949eb 100644
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@@ -25,12 +25,18 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
   @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
   @{run}/NetworkManager/system-connections/ rw,
   @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
+  @{run}/systemd/network/ r,
+  @{run}/systemd/network/10-netplan-*.link w,
+  @{run}/systemd/network/10-netplan-*.network w,
   @{run}/systemd/system/ r,
   @{run}/systemd/system/netplan-* rw,
+  @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r,
+  @{run}/systemd/system/systemd-networkd-wait-online.service.d/10-netplan.conf w,
   @{run}/systemd/system/systemd-networkd.service.wants/ rw,
   @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
   @{run}/udev/rules.d/ r,
   @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,
+  @{run}/udev/rules.d/99-netplan-*.rules w,
 
   profile udevadm {
     include <abstractions/base>
diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen
index 05a21d41f..14cbd3c87 100644
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@@ -22,6 +22,7 @@ profile ssh-keygen @{exec_path} {
   owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,
 
   /tmp/snapd@{int}/*_*{,.pub} w,
+  /tmp/snapd@{int}/*.key{,.pub} w,
 
   /dev/tty@{int} rw,
   /dev/ttyS@{int} rw,
diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl
index 91fc31b51..2429d235e 100644
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@@ -10,6 +10,7 @@ include <tunables/global>
 profile hostnamectl @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/consoles>
 
   capability net_admin,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index ca9f66d27..1e6748235 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -31,8 +31,6 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
   signal (send) set=(winch) peer=pacman,
   signal (send) set=(winch, hup, term) peer=rpm,
 
-  unix bind type=stream addr=@@{hex16}/bus/sudo/system/,
-
   @{bin}/@{shells}                  rUx,
   @{lib}/**                         PUx,
   /opt/*/**                         PUx,
diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats
index 2fee79079..2ce622147 100644
--- a/tests/bats/homectl.bats
+++ b/tests/bats/homectl.bats
@@ -7,6 +7,7 @@ load common
 
 setup_file() {
     aa_setup
+    skip
 }
 
 # bats test_tags=homectl
diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats
index a54dda828..ef6a292da 100644
--- a/tests/bats/snap.bats
+++ b/tests/bats/snap.bats
@@ -7,7 +7,6 @@ load common
 
 setup_file() {
     aa_setup
-    skip
 }
 
 # bats test_tags=snap
diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats
index 3b18bd032..9a9def4da 100644
--- a/tests/bats/systemd-id128.bats
+++ b/tests/bats/systemd-id128.bats
@@ -27,12 +27,6 @@ setup_file() {
     aa_check
 }
 
-# bats test_tags=systemd-id128
-@test "systemd-id128: Print the identifier of the current service invocation (this is available in systemd services)" {
-    systemd-id128 invocation-id
-    aa_check
-}
-
 # bats test_tags=systemd-id128
 @test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" {
     systemd-id128 new --uuid
diff --git a/tests/requirements.sh b/tests/requirements.sh
index 91adc0031..c12f9249c 100644
--- a/tests/requirements.sh
+++ b/tests/requirements.sh
@@ -19,7 +19,7 @@ arch)
 	;;
 debian | ubuntu | whonix)
 	sudo apt-get install -y \
-		cpuid dfc systemd-userdbd
+		cpuid dfc systemd-userdbd systemd-homed tlp
 	;;
 opensuse*)
 	;;