felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: apply new linter recommendations.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-26 16:54:02 +02:00 committed by Alex
parent 9c55d62b85
commit 031e1b2b07
43 changed files with 67 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/cron/cron-debtags
View file

@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} {
include <abstractions/base>
@{exec_path} r,
@{sh_path} rix,
/usr/bin/debtags rPx,
@{sh_path} rix,
@{bin}/debtags rPx,
include if exists <local/cron-debtags>
}

3
apparmor.d/groups/filesystem/udiskie-info
View file

@ -15,7 +15,8 @@ profile udiskie-info @{exec_path} {
@{exec_path} r,
@{python_path} r,
/usr/bin/ r,
@{bin}/ r,
@{sbin}/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,

3
apparmor.d/groups/filesystem/udiskie-mount
View file

@ -15,7 +15,8 @@ profile udiskie-mount @{exec_path} {
@{exec_path} r,
@{python_path} r,
/usr/bin/ r,
@{bin}/ r,
@{sbin}/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,

3
apparmor.d/groups/filesystem/udiskie-umount
View file

@ -15,7 +15,8 @@ profile udiskie-umount @{exec_path} {
@{exec_path} r,
@{python_path} r,
/usr/bin/ r,
@{bin}/ r,
@{sbin}/ r,
owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r,

6
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -100,9 +100,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
owner /.fscrypt/protectors/@{hex16} r,
/home/ r,
/home/.fscrypt/policies/ r,
owner /home/.fscrypt/policies/@{hex32} r,
owner /home/.fscrypt/protectors/@{hex16}.link r,
/home/.fscrypt/policies/ r, #aa:lint ignore
owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore
owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore
owner @{HOME}/.pam_environment r,

4
apparmor.d/groups/gpg/gpgsm
View file

@ -23,11 +23,11 @@ profile gpgsm @{exec_path} {
/etc/gcrypt/hwf.deny r,
deny /usr/bin/.gnupg/ w,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
deny @{bin}/.gnupg/ w,
include if exists <local/gpgsm>
}

2
apparmor.d/groups/grub/grub-multi-install
View file

@ -26,7 +26,7 @@ profile grub-multi-install @{exec_path} {
@{bin}/udevadm rPx,
/usr/share/debconf/frontend rix,
/usr/lib/terminfo/x/xterm-256color r,
@{lib}/terminfo/x/xterm-256color r,
/usr/share/debconf/confmodule r,
/boot/grub/grub.cfg rw,

2
apparmor.d/groups/kde/sddm
View file

@ -114,7 +114,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{etc_ro}/sddm/Xsession rPx,
@{etc_ro}/X11/xdm/Xsession rPx,
/usr/etc/X11/xdm/Xsetup rix,
@{etc_ro}/X11/xdm/Xsetup rix,
/usr/share/sddm/scripts/wayland-session rix,
/usr/share/sddm/scripts/Xsession rix,
/usr/share/sddm/scripts/Xsetup rix,

2
apparmor.d/groups/network/mullvad-daemon
View file

@ -30,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
network netlink raw,
network netlink dgram,
mount fstype=cgroup -> /sys/fs/cgroup/net_cls/,
mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/,
@{exec_path} mr,

2
apparmor.d/groups/pacman/archlinux-java
View file

@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/basename rix,
@{bin}/bash rix,
@{bin}/dirname rix,
@{bin}/find rix,
@{bin}/id rix,

2
apparmor.d/groups/pacman/paccache
View file

@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/bash rix,
@{bin}/cat rix,
@{bin}/gettext rix,
@{bin}/gpg{,2} rix,

2
apparmor.d/groups/pacman/pacman-hook-dconf
View file

@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} {
@{exec_path} mr,
@{bin}/bash rix,
@{sh_path} rix,
@{bin}/rm rix,
@{bin}/dconf rPx,

4
apparmor.d/groups/pacman/pacman-hook-depmod
View file

@ -14,13 +14,13 @@ profile pacman-hook-depmod @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/basename rix,
@{bin}/bash rix,
@{bin}/kmod rPx,
@{bin}/rm rix,
@{bin}/rmdir rix,
/usr/lib/modules/*/{,**} rw,
@{lib}/modules/*/{,**} rw,
/dev/tty rw,
/dev/tty@{int} rw,

2
apparmor.d/groups/pacman/pacman-hook-fontconfig
View file

@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} {
@{exec_path} mr,
@{bin}/bash rix,
@{sh_path} rix,
@{bin}/ln rix,
@{bin}/rm rix,

4
apparmor.d/groups/pacman/pacman-hook-gio
View file

@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} {
@{exec_path} mr,
@{bin}/bash rix,
@{sh_path} rix,
@{bin}/rmdir rix,
@{bin}/gio-querymodules rPx,
@{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw,
@{lib}/gtk-{3,4}.0/**/*/ rw,
/usr/lib/gio/modules/ rw,
@{lib}/gio/modules/ rw,
/dev/tty rw,

2
apparmor.d/groups/pacman/pacman-hook-gtk
View file

@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} {
@{exec_path} mr,
@{bin}/bash rix,
@{sh_path} rix,
@{bin}/rm rix,
@{bin}/rmdir rix,

2
apparmor.d/groups/pacman/pacman-hook-mkinitcpio
View file

@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{bin}/bash rix,
@{sh_path} rix,
@{bin}/cmp rix,
@{bin}/compgen rix,
@{bin}/env rix,

2
apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
View file

@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
@{exec_path} mr,
@{bin}/bash rix,
@{sh_path} rix,
@{bin}/cmp rix,
@{bin}/mv rix,
@{bin}/rm rix,

4
apparmor.d/groups/pacman/pacman-key
View file

@ -16,9 +16,9 @@ profile pacman-key @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/bash rix,
@{bin}/chmod rix,
@{bin}/gettext rix,
@{bin}/gpg{,2} rCx -> &gpg,
@ -60,7 +60,7 @@ profile pacman-key @{exec_path} {
/etc/pacman.d/gnupg/ rw,
/etc/pacman.d/gnupg/** rwkl,
@{HOME}/.gnupg/gpg.conf r,
@{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,

2
apparmor.d/groups/procps/sysctl
View file

@ -22,7 +22,7 @@ profile sysctl @{exec_path} {
/etc/sysctl.conf r,
/etc/sysctl.d/{,**} r,
/usr/lib/sysctl.d/{,**} r,
@{lib}/sysctl.d/{,**} r,
/etc/ufw/sysctl.conf r, # Add support for ufw

3
apparmor.d/groups/systemd/systemd-binfmt
View file

@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{bin}/* r,
@{sbin}/* r,
# Config file locations
/etc/binfmt.d/{,*.conf} r,
@{run}/binfmt.d/{,*.conf} r,
/usr/lib/binfmt.d/{,*.conf} r,
@{lib}/binfmt.d/{,*.conf} r,
@{PROC}/sys/fs/binfmt_misc/register w,
@{PROC}/sys/fs/binfmt_misc/status w,

2
apparmor.d/groups/systemd/systemd-sysctl
View file

@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
@{run}/sysctl.d/{,*.conf} r,
/etc/sysctl.conf r,
/etc/sysctl.d/{,*.conf} r,
/usr/lib/sysctl.d/{,*.conf} r,
@{lib}/sysctl.d/{,*.conf} r,
@{PROC}/sys/** rw,

2
apparmor.d/groups/systemd/systemd-sysusers
View file

@ -25,7 +25,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
# Config file locations
/etc/sysusers.d/{,*.conf} r,
@{run}/sysusers.d/{,*.conf} r,
/usr/lib/sysusers.d/{,*.conf} r,
@{lib}/sysusers.d/{,*.conf} r,
# Where the users can be created,
/home/{,*} rw,

4
apparmor.d/groups/systemd/systemd-tmpfiles
View file

@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
# Config file locations
/etc/tmpfiles.d/{,*.conf} r,
@{run}/tmpfiles.d/{,*.conf} r,
/usr/lib/tmpfiles.d/{,*.conf} r,
@{lib}/tmpfiles.d/{,*.conf} r,
@{user_config_dirs}/user-tmpfiles.d/{,*.conf} r,
@{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r,
@{user_share_dirs}/user-tmpfiles.d/{,*.conf} r,
@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
/etc/{,**} rw,
/home/ rw,
/opt/{,**} rw,
/run/{,**} rw,
@{run}/{,**} rw,
/srv/{,**} rw,
/tmp/{,**} rwk,
/usr/{,**} rw,

2
apparmor.d/groups/ubuntu/apt_news
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py
@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py
profile apt_news @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/common/apt>

2
apparmor.d/groups/ubuntu/esm_cache
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py
@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py
profile esm_cache @{exec_path} {
include <abstractions/base>
include <abstractions/python>

2
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -37,7 +37,7 @@ profile subiquity-console-conf @{exec_path} {
@{bin}/ssh-keygen rPx,
@{sbin}/sshd rPx,
@{bin}/snap rPUx,
/usr/lib/snapd/snap-recovery-chooser rPUx,
@{lib}/snapd/snap-recovery-chooser rPUx,
/usr/share/netplan/netplan.script rPx,
/usr/share/subiquity/{,**} r,

4
apparmor.d/groups/virt/containerd-shim-runc-v2
View file

@ -25,8 +25,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
signal (send) set=kill peer=cri-containerd.apparmor.d,
signal (receive) set=kill peer=containerd,
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
@{exec_path} mrix,

4
apparmor.d/groups/virt/dockerd
View file

@ -38,7 +38,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
mount /tmp/containerd-mount@{int}/,
mount /var/lib/docker/**/,
mount options=(rw bind) -> /run/docker/netns/*,
mount options=(rw bind) -> @{run}/docker/netns/*,
mount options=(rw rprivate) -> /.pivot_root@{int}/,
mount options=(rw rslave) -> /,
@ -46,7 +46,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
remount /var/lib/docker/**/,
umount /.pivot_root@{int}/,
umount /run/docker/netns/*,
umount @{run}/docker/netns/*,
umount /tmp/containerd-mount@{int}/,
umount /var/lib/docker/**/,