felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add 'if exists' to some include.

Browse source
This commit is contained in:
Alexandre Pujol 2021-04-01 23:26:06 +01:00
parent 79904cb616
commit 08c220deee
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
18 changed files with 24 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/evince
View file

@ -120,5 +120,4 @@
include <abstractions/private-files-strict> include <abstractions/private-files-strict>
#owner @{HOME}/.mozilla/**/*Cache/* r, #owner @{HOME}/.mozilla/**/*Cache/* r,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.bin.evince>
include <local/usr.bin.evince>

3
apparmor.d/abstractions/libvirt-lxc
View file

@ -117,5 +117,4 @@
deny /sys/fs/cgroup?*{,/**} wklx, deny /sys/fs/cgroup?*{,/**} wklx,
deny /sys/fs?*{,/**} wklx, deny /sys/fs?*{,/**} wklx,
# Site-specific additions and overrides. See local/README for details. include if exists <local/abstractions/libvirt-lxc>
#include <local/abstractions/libvirt-lxc>

3
apparmor.d/abstractions/libvirt-qemu
View file

@ -244,5 +244,4 @@
/ r, # harmless on any lsb compliant system / r, # harmless on any lsb compliant system
/sys/bus/nd/devices/{,**/} r, /sys/bus/nd/devices/{,**/} r,
# Site-specific additions and overrides. See local/README for details. include if exists <local/abstractions/libvirt-qemu>
#include <local/abstractions/libvirt-qemu>

15
apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
View file

@ -4,13 +4,13 @@
@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng @{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
#include <tunables/global> include <tunables/global>
profile apt-cacher-ng /usr/sbin/apt-cacher-ng { profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
#include <abstractions/base> include <abstractions/base>
#include <abstractions/nameservice> include <abstractions/nameservice>
#include <abstractions/openssl> include <abstractions/openssl>
#include <abstractions/user-tmp> include <abstractions/user-tmp>
/etc/apt-cacher-ng/ r, /etc/apt-cacher-ng/ r,
/etc/apt-cacher-ng/** r, /etc/apt-cacher-ng/** r,
@ -35,6 +35,5 @@ profile apt-cacher-ng /usr/sbin/apt-cacher-ng {
# used by libevent # used by libevent
@{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/random/uuid r,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.sbin.apt-cacher-ng>
#include <local/usr.sbin.apt-cacher-ng>
} }

2
apparmor.d/groups/browsers/torbrowser.Browser.firefox
View file

@ -148,5 +148,5 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
# Yubikey NEO also needs this: # Yubikey NEO also needs this:
/sys/devices/**/hidraw/hidraw*/uevent r, /sys/devices/**/hidraw/hidraw*/uevent r,
include <local/torbrowser.Browser.firefox> include if exists <local/torbrowser.Browser.firefox>
} }

2
apparmor.d/groups/browsers/torbrowser.Browser.plugin-container
View file

@ -100,5 +100,5 @@ profile torbrowser_plugin_container {
deny /etc/pulse/client.conf r, deny /etc/pulse/client.conf r,
deny /usr/bin/pulseaudio x, deny /usr/bin/pulseaudio x,
include <local/torbrowser.Browser.plugin-container> include if exists <local/torbrowser.Browser.plugin-container>
} }

2
apparmor.d/groups/browsers/torbrowser.Tor.tor
View file

@ -42,5 +42,5 @@ profile torbrowser_tor @{torbrowser_tor_executable} {
# OnionShare compatibility # OnionShare compatibility
/tmp/onionshare/** rw, /tmp/onionshare/** rw,
include <local/torbrowser.Tor.tor> include if exists <local/torbrowser.Tor.tor>
} }

1
apparmor.d/profiles-a-l/child-lsb_release
View file

@ -58,6 +58,5 @@ profile child-lsb_release {
# deny /tmp/gtalkplugin.log w, # deny /tmp/gtalkplugin.log w,
/dev/dri/card[0-9]* rw, /dev/dri/card[0-9]* rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/child-lsb_release> include if exists <local/child-lsb_release>
} }

3
apparmor.d/profiles-m-z/system_tor
View file

@ -21,6 +21,5 @@ profile system_tor flags=(attach_disconnected) {
/{,var/}run/tor/control.authcookie.tmp rw, /{,var/}run/tor/control.authcookie.tmp rw,
/{,var/}run/systemd/notify w, /{,var/}run/systemd/notify w,
# Site-specific additions and overrides. See local/README for details. include if exists <local/system_tor>
include <local/system_tor>
} }

3
apparmor.d/profiles-m-z/usr.bin.irssi
View file

@ -49,6 +49,5 @@ include <tunables/global>
# for fnotify # for fnotify
owner @{HOME}/.irssi/fnotify rwk, owner @{HOME}/.irssi/fnotify rwk,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.bin.irssi>
include <local/usr.bin.irssi>
} }

3
apparmor.d/profiles-m-z/usr.bin.man
View file

@ -49,8 +49,7 @@ include <tunables/global>
signal peer=/usr/bin/man//&man_groff, signal peer=/usr/bin/man//&man_groff,
signal peer=/usr/bin/man//&man_filter, signal peer=/usr/bin/man//&man_filter,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.bin.man>
include <local/usr.bin.man>
} }
profile man_groff { profile man_groff {

3
apparmor.d/profiles-m-z/usr.bin.pidgin
View file

@ -82,6 +82,5 @@ include <tunables/global>
owner @{PROC}/@{pid}/auxv r, owner @{PROC}/@{pid}/auxv r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.bin.pidgin>
include <local/usr.bin.pidgin>
} }

3
apparmor.d/profiles-m-z/usr.bin.tcpdump
View file

@ -60,6 +60,5 @@ profile tcpdump /usr/sbin/tcpdump {
/usr/sbin/tcpdump mr, /usr/sbin/tcpdump mr,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.sbin.tcpdump>
include <local/usr.sbin.tcpdump>
} }

3
apparmor.d/profiles-m-z/usr.bin.totem
View file

@ -54,6 +54,5 @@
/sys/devices/pci[0-9]*/**/config r, /sys/devices/pci[0-9]*/**/config r,
/sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r, /sys/devices/pci[0-9]*/**/{,subsystem_}{device,vendor} r,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.bin.totem>
#include <local/usr.bin.totem>
} }

6
apparmor.d/profiles-m-z/usr.bin.totem-previewers
View file

@ -23,8 +23,7 @@ include <tunables/global>
/usr/bin/totem-video-thumbnailer rm, /usr/bin/totem-video-thumbnailer rm,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.bin.totem-previewers>
include <local/usr.bin.totem-previewers>
} }
/usr/bin/totem-audio-preview flags=(attach_disconnected) { /usr/bin/totem-audio-preview flags=(attach_disconnected) {
@ -37,6 +36,5 @@ include <tunables/global>
owner @{HOME}/[^.]* rw, owner @{HOME}/[^.]* rw,
owner @{HOME}/[^.]*/** rw, owner @{HOME}/[^.]*/** rw,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.bin.totem-previewers>
include <local/usr.bin.totem-previewers>
} }

3
apparmor.d/profiles-m-z/usr.lib.libvirt.virt-aa-helper
View file

@ -69,6 +69,5 @@ profile virt-aa-helper /usr/lib/libvirt/virt-aa-helper {
/**.[iI][sS][oO] r, /**.[iI][sS][oO] r,
/**/disk{,.*} r, /**/disk{,.*} r,
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.lib.libvirt.virt-aa-helper>
include <local/usr.lib.libvirt.virt-aa-helper>
} }

3
apparmor.d/profiles-m-z/usr.sbin.cupsd
View file

@ -173,8 +173,7 @@
unix, unix,
} }
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.sbin.cupsd>
#include <local/usr.sbin.cupsd>
} }
# separate profile since this needs to write into /home # separate profile since this needs to write into /home

3
apparmor.d/profiles-m-z/usr.sbin.libvirtd
View file

@ -136,6 +136,5 @@ profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
} }
# Site-specific additions and overrides. See local/README for details. include if exists <local/usr.sbin.libvirtd>
#include <local/usr.sbin.libvirtd>
} }