New @{uuid} variable.

2022-02-22 13:14:46 +00:00 · 2022-02-22 13:14:46 +00:00 · 0ee2e4f7ad
commit 0ee2e4f7ad
parent 773741c85e
24 changed files with 47 additions and 44 deletions
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@ -42,20 +42,20 @@ profile bootctl @{exec_path} {

  @{sys}/firmware/dmi/entries/*/raw r,
  @{sys}/firmware/efi/efivars/ r,
-  @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/BootOrder-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderEntries-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderFeatures-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderFirmwareType-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderImageIdentifier-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderInfo-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderSystemToken-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/OsIndications-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/OsIndicationsSupported-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/SetupMode-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
+  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r,
+  @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
+  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
+  @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,

 owner @{PROC}/@{pid}/cgroup r,
       @{PROC}/sys/kernel/random/poolsize r,
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@ -36,7 +36,7 @@ profile child-systemctl flags=(attach_disconnected) {
        @{PROC}/1/sched r,
        @{PROC}/cmdline r,

-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

  /dev/kmsg w,

--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -57,8 +57,8 @@ profile systemd-analyze @{exec_path} {
  /etc/default/locale r,
  /etc/locale.conf r,

-  @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r,

  /dev/tty rw,
  /dev/pts/1 rw,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -58,7 +58,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r,

  @{sys}/devices/**/uevent r,
-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/module/printk/parameters/time r,

  @{PROC}/@{pids}/comm r,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -84,10 +84,10 @@ profile systemd-logind @{exec_path} flags=(complain) {
  @{sys}/class/drm/ r,
  @{sys}/power/{state,resume_offset,resume,disk} r,

-  @{sys}/firmware/efi/efivars/OsIndicationsSupported-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/OsIndications-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderEntries-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
-  @{sys}/firmware/efi/efivars/LoaderFeatures-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
+  @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,

  @{PROC}/@{pid}/cgroup r,
  @{PROC}/@{pid}/comm r,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -44,5 +44,5 @@ profile systemd-resolved @{exec_path} {
  @{PROC}/sys/kernel/random/boot_id r,

  # System access
-  @{sys}/firmware/efi/efivars/SecureBoot-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
+  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
 }