felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: apply new linter recommendations.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-26 16:54:02 +02:00 committed by Alex
parent 9c55d62b85
commit 031e1b2b07
43 changed files with 67 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/abstractions/app/open
View file

@ -36,7 +36,7 @@
/etc/xdg/menus/ r, /etc/xdg/menus/ r,
owner @{run}/user//@{uid}/#@{int} rw, owner @{run}/user/@{uid}/#@{int} rw,
owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
@{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/random/boot_id r,

4
apparmor.d/abstractions/ibus.d/complete
View file

@ -15,11 +15,11 @@
# peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"),
unix (connect, receive, send) unix (connect, receive, send)
type=stream type=stream
peer=(addr="@/home/*/.cache/ibus/dbus-????????"), peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore
unix (connect, send, receive, accept, bind, listen) unix (connect, send, receive, accept, bind, listen)
type=stream type=stream
addr="@/home/*/.cache/ibus/dbus-????????", addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore
dbus receive bus=session path=/org/freedesktop/IBus dbus receive bus=session path=/org/freedesktop/IBus
interface=org.freedesktop.DBus.Peer interface=org.freedesktop.DBus.Peer

4
apparmor.d/groups/cron/cron-debtags
View file

@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} {
include <abstractions/base> include <abstractions/base>
@{exec_path} r, @{exec_path} r,
@{sh_path} rix,
/usr/bin/debtags rPx, @{sh_path} rix,
@{bin}/debtags rPx,
include if exists <local/cron-debtags> include if exists <local/cron-debtags>
} }

3
apparmor.d/groups/filesystem/udiskie-info
View file

@ -15,7 +15,8 @@ profile udiskie-info @{exec_path} {
@{exec_path} r, @{exec_path} r,
@{python_path} r, @{python_path} r,
/usr/bin/ r, @{bin}/ r,
@{sbin}/ r,
owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r, owner @{user_config_dirs}/udiskie/config.yml r,

3
apparmor.d/groups/filesystem/udiskie-mount
View file

@ -15,7 +15,8 @@ profile udiskie-mount @{exec_path} {
@{exec_path} r, @{exec_path} r,
@{python_path} r, @{python_path} r,
/usr/bin/ r, @{bin}/ r,
@{sbin}/ r,
owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r, owner @{user_config_dirs}/udiskie/config.yml r,

3
apparmor.d/groups/filesystem/udiskie-umount
View file

@ -15,7 +15,8 @@ profile udiskie-umount @{exec_path} {
@{exec_path} r, @{exec_path} r,
@{python_path} r, @{python_path} r,
/usr/bin/ r, @{bin}/ r,
@{sbin}/ r,
owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/ r,
owner @{user_config_dirs}/udiskie/config.yml r, owner @{user_config_dirs}/udiskie/config.yml r,

6
apparmor.d/groups/gnome/gdm-session-worker
View file

@ -100,9 +100,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
owner /.fscrypt/protectors/@{hex16} r, owner /.fscrypt/protectors/@{hex16} r,
/home/ r, /home/ r,
/home/.fscrypt/policies/ r, /home/.fscrypt/policies/ r, #aa:lint ignore
owner /home/.fscrypt/policies/@{hex32} r, owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore
owner /home/.fscrypt/protectors/@{hex16}.link r, owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore
owner @{HOME}/.pam_environment r, owner @{HOME}/.pam_environment r,

4
apparmor.d/groups/gpg/gpgsm
View file

@ -23,11 +23,11 @@ profile gpgsm @{exec_path} {
/etc/gcrypt/hwf.deny r, /etc/gcrypt/hwf.deny r,
deny /usr/bin/.gnupg/ w, owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, deny @{bin}/.gnupg/ w,
include if exists <local/gpgsm> include if exists <local/gpgsm>
} }

2
apparmor.d/groups/grub/grub-multi-install
View file

@ -26,7 +26,7 @@ profile grub-multi-install @{exec_path} {
@{bin}/udevadm rPx, @{bin}/udevadm rPx,
/usr/share/debconf/frontend rix, /usr/share/debconf/frontend rix,
/usr/lib/terminfo/x/xterm-256color r, @{lib}/terminfo/x/xterm-256color r,
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,
/boot/grub/grub.cfg rw, /boot/grub/grub.cfg rw,

2
apparmor.d/groups/kde/sddm
View file

@ -114,7 +114,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{etc_ro}/sddm/Xsession rPx, @{etc_ro}/sddm/Xsession rPx,
@{etc_ro}/X11/xdm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx,
/usr/etc/X11/xdm/Xsetup rix, @{etc_ro}/X11/xdm/Xsetup rix,
/usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/wayland-session rix,
/usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsession rix,
/usr/share/sddm/scripts/Xsetup rix, /usr/share/sddm/scripts/Xsetup rix,

2
apparmor.d/groups/network/mullvad-daemon
View file

@ -30,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
network netlink dgram, network netlink dgram,
mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/,
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/pacman/archlinux-java
View file

@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/bash rix,
@{bin}/dirname rix, @{bin}/dirname rix,
@{bin}/find rix, @{bin}/find rix,
@{bin}/id rix, @{bin}/id rix,

2
apparmor.d/groups/pacman/paccache
View file

@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
@{bin}/bash rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/gettext rix, @{bin}/gettext rix,
@{bin}/gpg{,2} rix, @{bin}/gpg{,2} rix,

2
apparmor.d/groups/pacman/pacman-hook-dconf
View file

@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bash rix, @{sh_path} rix,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/dconf rPx, @{bin}/dconf rPx,

4
apparmor.d/groups/pacman/pacman-hook-depmod
View file

@ -14,13 +14,13 @@ profile pacman-hook-depmod @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/bash rix,
@{bin}/kmod rPx, @{bin}/kmod rPx,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/rmdir rix, @{bin}/rmdir rix,
/usr/lib/modules/*/{,**} rw, @{lib}/modules/*/{,**} rw,
/dev/tty rw, /dev/tty rw,
/dev/tty@{int} rw, /dev/tty@{int} rw,

2
apparmor.d/groups/pacman/pacman-hook-fontconfig
View file

@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bash rix, @{sh_path} rix,
@{bin}/ln rix, @{bin}/ln rix,
@{bin}/rm rix, @{bin}/rm rix,

4
apparmor.d/groups/pacman/pacman-hook-gio
View file

@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bash rix, @{sh_path} rix,
@{bin}/rmdir rix, @{bin}/rmdir rix,
@{bin}/gio-querymodules rPx, @{bin}/gio-querymodules rPx,
@{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw,
@{lib}/gtk-{3,4}.0/**/*/ rw, @{lib}/gtk-{3,4}.0/**/*/ rw,
/usr/lib/gio/modules/ rw, @{lib}/gio/modules/ rw,
/dev/tty rw, /dev/tty rw,

2
apparmor.d/groups/pacman/pacman-hook-gtk
View file

@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bash rix, @{sh_path} rix,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/rmdir rix, @{bin}/rmdir rix,

2
apparmor.d/groups/pacman/pacman-hook-mkinitcpio
View file

@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bash rix, @{sh_path} rix,
@{bin}/cmp rix, @{bin}/cmp rix,
@{bin}/compgen rix, @{bin}/compgen rix,
@{bin}/env rix, @{bin}/env rix,

2
apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
View file

@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/bash rix, @{sh_path} rix,
@{bin}/cmp rix, @{bin}/cmp rix,
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/rm rix, @{bin}/rm rix,

4
apparmor.d/groups/pacman/pacman-key
View file

@ -16,9 +16,9 @@ profile pacman-key @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix,
@{bin}/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/bash rix,
@{bin}/chmod rix, @{bin}/chmod rix,
@{bin}/gettext rix, @{bin}/gettext rix,
@{bin}/gpg{,2} rCx -> &gpg, @{bin}/gpg{,2} rCx -> &gpg,
@ -60,7 +60,7 @@ profile pacman-key @{exec_path} {
/etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/ rw,
/etc/pacman.d/gnupg/** rwkl, /etc/pacman.d/gnupg/** rwkl,
@{HOME}/.gnupg/gpg.conf r, @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,

2
apparmor.d/groups/procps/sysctl
View file

@ -22,7 +22,7 @@ profile sysctl @{exec_path} {
/etc/sysctl.conf r, /etc/sysctl.conf r,
/etc/sysctl.d/{,**} r, /etc/sysctl.d/{,**} r,
/usr/lib/sysctl.d/{,**} r, @{lib}/sysctl.d/{,**} r,
/etc/ufw/sysctl.conf r, # Add support for ufw /etc/ufw/sysctl.conf r, # Add support for ufw

3
apparmor.d/groups/systemd/systemd-binfmt
View file

@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{bin}/* r, @{bin}/* r,
@{sbin}/* r,
# Config file locations # Config file locations
/etc/binfmt.d/{,*.conf} r, /etc/binfmt.d/{,*.conf} r,
@{run}/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r,
/usr/lib/binfmt.d/{,*.conf} r, @{lib}/binfmt.d/{,*.conf} r,
@{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/register w,
@{PROC}/sys/fs/binfmt_misc/status w, @{PROC}/sys/fs/binfmt_misc/status w,

2
apparmor.d/groups/systemd/systemd-sysctl
View file

@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
@{run}/sysctl.d/{,*.conf} r, @{run}/sysctl.d/{,*.conf} r,
/etc/sysctl.conf r, /etc/sysctl.conf r,
/etc/sysctl.d/{,*.conf} r, /etc/sysctl.d/{,*.conf} r,
/usr/lib/sysctl.d/{,*.conf} r, @{lib}/sysctl.d/{,*.conf} r,
@{PROC}/sys/** rw, @{PROC}/sys/** rw,

2
apparmor.d/groups/systemd/systemd-sysusers
View file

@ -25,7 +25,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
# Config file locations # Config file locations
/etc/sysusers.d/{,*.conf} r, /etc/sysusers.d/{,*.conf} r,
@{run}/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r,
/usr/lib/sysusers.d/{,*.conf} r, @{lib}/sysusers.d/{,*.conf} r,
# Where the users can be created, # Where the users can be created,
/home/{,*} rw, /home/{,*} rw,

4
apparmor.d/groups/systemd/systemd-tmpfiles
View file

@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
# Config file locations # Config file locations
/etc/tmpfiles.d/{,*.conf} r, /etc/tmpfiles.d/{,*.conf} r,
@{run}/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r,
/usr/lib/tmpfiles.d/{,*.conf} r, @{lib}/tmpfiles.d/{,*.conf} r,
@{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r,
@{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r,
@{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r,
@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
/etc/{,**} rw, /etc/{,**} rw,
/home/ rw, /home/ rw,
/opt/{,**} rw, /opt/{,**} rw,
/run/{,**} rw, @{run}/{,**} rw,
/srv/{,**} rw, /srv/{,**} rw,
/tmp/{,**} rwk, /tmp/{,**} rwk,
/usr/{,**} rw, /usr/{,**} rw,

2
apparmor.d/groups/ubuntu/apt_news
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py @{exec_path} = @{lib}/ubuntu-advantage/apt_news.py
profile apt_news @{exec_path} flags=(attach_disconnected) { profile apt_news @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/apt> include <abstractions/common/apt>

2
apparmor.d/groups/ubuntu/esm_cache
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py @{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py
profile esm_cache @{exec_path} { profile esm_cache @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/python> include <abstractions/python>

2
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -37,7 +37,7 @@ profile subiquity-console-conf @{exec_path} {
@{bin}/ssh-keygen rPx, @{bin}/ssh-keygen rPx,
@{sbin}/sshd rPx, @{sbin}/sshd rPx,
@{bin}/snap rPUx, @{bin}/snap rPUx,
/usr/lib/snapd/snap-recovery-chooser rPUx, @{lib}/snapd/snap-recovery-chooser rPUx,
/usr/share/netplan/netplan.script rPx, /usr/share/netplan/netplan.script rPx,
/usr/share/subiquity/{,**} r, /usr/share/subiquity/{,**} r,

4
apparmor.d/groups/virt/containerd-shim-runc-v2
View file

@ -25,8 +25,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
signal (send) set=kill peer=cri-containerd.apparmor.d, signal (send) set=kill peer=cri-containerd.apparmor.d,
signal (receive) set=kill peer=containerd, signal (receive) set=kill peer=containerd,
mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
@{exec_path} mrix, @{exec_path} mrix,

4
apparmor.d/groups/virt/dockerd
View file

@ -38,7 +38,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
mount /tmp/containerd-mount@{int}/, mount /tmp/containerd-mount@{int}/,
mount /var/lib/docker/**/, mount /var/lib/docker/**/,
mount options=(rw bind) -> /run/docker/netns/*, mount options=(rw bind) -> @{run}/docker/netns/*,
mount options=(rw rprivate) -> /.pivot_root@{int}/, mount options=(rw rprivate) -> /.pivot_root@{int}/,
mount options=(rw rslave) -> /, mount options=(rw rslave) -> /,
@ -46,7 +46,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
remount /var/lib/docker/**/, remount /var/lib/docker/**/,
umount /.pivot_root@{int}/, umount /.pivot_root@{int}/,
umount /run/docker/netns/*, umount @{run}/docker/netns/*,
umount /tmp/containerd-mount@{int}/, umount /tmp/containerd-mount@{int}/,
umount /var/lib/docker/**/, umount /var/lib/docker/**/,

2
apparmor.d/profiles-a-f/aspell
View file

@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) {
/usr/share/aspell/{,*} r, /usr/share/aspell/{,*} r,
/usr/lib/aspell/{,*} r, @{lib}/aspell/{,*} r,
/var/lib/aspell/{,*} r, /var/lib/aspell/{,*} r,
/var/lib/aspell/*.rws rw, /var/lib/aspell/*.rws rw,

4
apparmor.d/profiles-a-f/aspell-autobuildhash
View file

@ -32,8 +32,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) {
/usr/share/aspell/{,*} r, /usr/share/aspell/{,*} r,
/usr/lib/aspell/{,*} r, @{lib}/aspell/{,*} r,
/usr/lib/aspell/*.rws rw, @{lib}/aspell/*.rws rw,
/var/lib/aspell/ r, /var/lib/aspell/ r,
/var/lib/aspell/* rw, /var/lib/aspell/* rw,

2
apparmor.d/profiles-g-l/gajim
View file

@ -73,7 +73,7 @@ profile gajim @{exec_path} {
owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/gajim/** rwk,
owner @{user_cache_dirs}/farstream/ rw, owner @{user_cache_dirs}/farstream/ rw,
owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

2
apparmor.d/profiles-g-l/gpu-manager
View file

@ -20,7 +20,7 @@ profile gpu-manager @{exec_path} {
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
/etc/modprobe.d/{,**} r, /etc/modprobe.d/{,**} r,
/usr/lib/modprobe.d/{,**} r, @{lib}/modprobe.d/{,**} r,
/var/lib/ubuntu-drivers-common/* rw, /var/lib/ubuntu-drivers-common/* rw,

7
apparmor.d/profiles-g-l/hardinfo
View file

@ -58,7 +58,7 @@ profile hardinfo @{exec_path} {
@{bin}/netstat rPx, @{bin}/netstat rPx,
@{bin}/qtchooser rPx, @{bin}/qtchooser rPx,
@{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac,
/usr/share/gdb/python/ r, /usr/share/gdb/python/ r,
/usr/share/gdb/python/** r, /usr/share/gdb/python/** r,
@ -132,9 +132,8 @@ profile hardinfo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr,
@{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr,
@{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr,
/etc/java-[0-9]*-openjdk/** r, /etc/java-[0-9]*-openjdk/** r,

4
apparmor.d/profiles-g-l/hwinfo
View file

@ -13,9 +13,9 @@ profile hwinfo @{exec_path} {
include <abstractions/disks-read> include <abstractions/disks-read>
capability net_raw, # Needed for network related options capability net_raw, # Needed for network related options
capability sys_admin, # Needed for /proc/ioports capability sys_admin, # Needed for @{PROC}/ioports
capability sys_rawio, # Needed for disk related options capability sys_rawio, # Needed for disk related options
capability syslog, # Needed for /proc/kmsg capability syslog, # Needed for @{PROC}/kmsg
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,

4
apparmor.d/profiles-g-l/ip
View file

@ -20,7 +20,7 @@ profile ip @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
mount fstype=sysfs -> /sys/, mount fstype=sysfs -> @{sys},
mount options=(rw bind) / -> @{run}/netns/*, mount options=(rw bind) / -> @{run}/netns/*,
mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/,
mount options=(rw, bind) @{att}/ -> @{run}/netns/*, mount options=(rw, bind) @{att}/ -> @{run}/netns/*,
@ -29,7 +29,7 @@ profile ip @{exec_path} flags=(attach_disconnected) {
mount options=(rw, rslave) -> /, mount options=(rw, rslave) -> /,
umount @{run}/netns/*, umount @{run}/netns/*,
umount /sys/, umount @{sys},
@{exec_path} mrix, @{exec_path} mrix,

2
apparmor.d/profiles-g-l/kmod
View file

@ -74,7 +74,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
/etc/sysctl.conf r, /etc/sysctl.conf r,
/etc/sysctl.d/{,**} r, /etc/sysctl.d/{,**} r,
/usr/lib/sysctl.d/{,**} r, @{lib}/sysctl.d/{,**} r,
include if exists <local/kmod_sysctl> include if exists <local/kmod_sysctl>
} }

5
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -69,10 +69,11 @@ profile mkinitramfs @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/linux-version rPx, @{bin}/linux-version rPx,
/usr/share/initramfs-tools/hooks/** rPx, @{lib}/initramfs-tools/hooks/** rPx,
/usr/share/initramfs-tools/scripts/** rPx,
/etc/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/hooks/** rPx,
/etc/initramfs-tools/scripts/** rPx, /etc/initramfs-tools/scripts/** rPx,
/usr/share/initramfs-tools/hooks/** rPx,
/usr/share/initramfs-tools/scripts/** rPx,
/usr/share/initramfs-tools/{,**} r, /usr/share/initramfs-tools/{,**} r,
/etc/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r,

6
apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
View file

@ -19,14 +19,14 @@ profile needrestart-iucode-scan-versions @{exec_path} {
@{sbin}/iucode_tool rix, @{sbin}/iucode_tool rix,
/usr/share/misc/ r, /usr/share/misc/ r,
/usr/share/misc/amd64-microcode* r, /usr/share/misc/amd-microcode* r
/usr/share/misc/intel-microcode* r, /usr/share/misc/intel-microcode* r,
/etc/default/amd64-microcode r, /etc/default/amd-microcode r,
/etc/default/intel-microcode r, /etc/default/intel-microcode r,
/etc/needrestart/iucode.sh r, /etc/needrestart/iucode.sh r,
/boot/amd64-ucode.img r, /boot/amd-ucode.img r,
/boot/intel-ucode.img r, /boot/intel-ucode.img r,
/boot/early_ucode.cpio r, /boot/early_ucode.cpio r,

2
apparmor.d/profiles-m-r/pcb-gtk
View file

@ -20,7 +20,7 @@ profile pcb-gtk @{exec_path} {
/usr/share/pcb/ListLibraryContents.sh rix, /usr/share/pcb/ListLibraryContents.sh rix,
@{bin}/dash rix, @{sh_path} rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/tr rix, @{bin}/tr rix,

2
apparmor.d/profiles-m-r/resolvconf
View file

@ -26,7 +26,7 @@ profile resolvconf @{exec_path} {
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{lib}/resolvconf/list-records rix, @{lib}/resolvconf/list-records rix,
/usr/lib/resolvconf/{,**} r, @{lib}/resolvconf/{,**} r,
@{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf.bak rw,
@{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf rw,