feat(profile): cleanup some rules already included in abs.

2024-03-16 21:40:35 +00:00 · 2024-03-16 21:40:35 +00:00 · 0c5e71f971
commit 0c5e71f971
parent b15aaae553
36 changed files with 20 additions and 72 deletions
--- a/apparmor.d/profiles-s-z/YACReader
+++ b/apparmor.d/profiles-s-z/YACReader
@ -43,7 +43,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  /dev/shm/ r,

-        @{PROC}/sys/kernel/random/boot_id r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,

--- a/apparmor.d/profiles-s-z/YACReaderLibrary
+++ b/apparmor.d/profiles-s-z/YACReaderLibrary
@ -43,7 +43,6 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted

  owner /tmp/@{uuid} w,

-        @{PROC}/sys/kernel/random/boot_id r,
  owner @{PROC}/@{pid}/cmdline r,

  include if exists <local/YACReaderLibrary>
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -80,7 +80,6 @@ profile snap @{exec_path} {
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/cgroups r,
  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/random/boot_id r,
  @{PROC}/sys/kernel/random/uuid r,
  @{PROC}/sys/kernel/seccomp/actions_avail r,
  @{PROC}/version r,
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -169,7 +169,6 @@ profile snapd @{exec_path} {
        @{PROC}/@{pids}/stat r,
        @{PROC}/cgroups r,
        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/random/boot_id r,
        @{PROC}/sys/kernel/seccomp/actions_avail r,
        @{PROC}/version r,
  owner @{PROC}/@{pids}/cmdline r,
--- a/apparmor.d/profiles-s-z/spice-vdagentd
+++ b/apparmor.d/profiles-s-z/spice-vdagentd
@ -16,12 +16,12 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  owner @{run}/spice-vdagentd/spice-vdagent-sock r,
-  owner @{run}/spice-vdagentd/spice-vdagentd.pid rw,
        @{run}/systemd/journal/dev-log w,
        @{run}/systemd/seats/seat@{int} r,
        @{run}/systemd/sessions/* r,
        @{run}/systemd/users/@{uid} r,
+  owner @{run}/spice-vdagentd/spice-vdagent-sock r,
+  owner @{run}/spice-vdagentd/spice-vdagentd.pid rw,

  @{PROC}/@{pids}/cgroup r,

--- a/apparmor.d/profiles-s-z/swtpm_setup
+++ b/apparmor.d/profiles-s-z/swtpm_setup
@ -25,7 +25,5 @@ profile swtpm_setup @{exec_path} {
  owner /tmp/swtpm_setup.certs.*/*.cert rw,
  owner /tmp/.swtpm_setup.pidfile* rw,

-  @{run}/systemd/userdb/ r,
-
  include if exists <local/swtpm_setup>
 }
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@ -111,7 +111,6 @@ profile vlc @{exec_path} {
  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,

        @{PROC}/@{pids}/net/if_inet6 r,
-        @{PROC}/sys/kernel/random/boot_id r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,