felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tests(check): enable and enfore more checks.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-26 23:15:52 +02:00 committed by Alex
parent da4f5f8a2c
commit 1d3b58f15c
57 changed files with 148 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/abstractions/common/app
View file

@ -56,10 +56,10 @@
owner @{HOME}/.var/app/** rmix, owner @{HOME}/.var/app/** rmix,
owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{HOME}/** rwmlk -> @{HOME}/**,
owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/ r,
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide
owner @{user_games_dirs}/** rmix, owner @{user_games_dirs}/** rmix,
#aa:lint ignore=too_wide #aa:lint ignore=too-wide
owner @{tmp}/** rmwk, owner @{tmp}/** rmwk,
owner /dev/shm/** rwlk -> /dev/shm/**, owner /dev/shm/** rwlk -> /dev/shm/**,
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,

2
apparmor.d/groups/apt/deb-systemd-invoke
View file

@ -20,7 +20,7 @@ profile deb-systemd-invoke @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/systemctl rix, @{bin}/systemctl rix, #aa:lint ignore=transition
@{bin}/systemd-tty-ask-password-agent Px, @{bin}/systemd-tty-ask-password-agent Px,
include if exists <local/deb-systemd-invoke> include if exists <local/deb-systemd-invoke>

2
apparmor.d/groups/apt/debsums
View file

@ -37,7 +37,7 @@ profile debsums @{exec_path} {
/etc/{,**} r, /etc/{,**} r,
/var/lib/{,**} r, /var/lib/{,**} r,
/opt/{,**} r, /opt/{,**} r,
/boot/{,**} r, @{efi}/{,**} r,
/lib*/{,**} r, /lib*/{,**} r,
include if exists <local/debsums> include if exists <local/debsums>

3
apparmor.d/groups/apt/dpkg
View file

@ -43,10 +43,11 @@ profile dpkg @{exec_path} {
# For shell pwd # For shell pwd
/root/ r, /root/ r,
#aa:lint ignore=too-wide
# Install/update packages # Install/update packages
/ r, / r,
/*{,/} rw, /*{,/} rw,
/boot/** rwl -> /boot/**, @{efi}/** rwl -> @{efi}/**,
/etc/** rwl -> /etc/**, /etc/** rwl -> /etc/**,
/opt/** rwl -> /opt/**, /opt/** rwl -> /opt/**,
/srv/** rwl -> /srv/**, /srv/** rwl -> /srv/**,

1
apparmor.d/groups/apt/dpkg-divert
View file

@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} {
/var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-new rw,
/var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
#aa:lint ignore=too-wide
/etc/** rw, /etc/** rw,
include if exists <local/dpkg-divert> include if exists <local/dpkg-divert>

2
apparmor.d/groups/apt/dpkg-scripts
View file

@ -56,6 +56,7 @@ profile dpkg-scripts @{exec_path} {
/etc/** PUx, /etc/** PUx,
/usr/share/** PUx, /usr/share/** PUx,
#aa:lint ignore=too-wide
# Maintainer's scripts can update a lot of files # Maintainer's scripts can update a lot of files
/ r, / r,
/*/ r, /*/ r,
@ -65,6 +66,7 @@ profile dpkg-scripts @{exec_path} {
@{lib}/** w, @{lib}/** w,
/opt/*/** rw, /opt/*/** rw,
#aa:lint ignore=too-wide
/etc/ r, /etc/ r,
/etc/** rw, /etc/** rw,
/usr/share/*/{,**} rw, /usr/share/*/{,**} rw,

4
apparmor.d/groups/filesystem/btrfs
View file

@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
/ r, / r,
/.snapshots/ r, /.snapshots/ r,
/boot/ r, @{efi}/ r,
/boot/**/ r, @{efi}/**/ r,
/home/ r, /home/ r,
/opt/ r, /opt/ r,
/root/ r, /root/ r,

4
apparmor.d/groups/filesystem/udisksd
View file

@ -49,7 +49,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/,
mount options=(rw move) -> @{MOUNTS}/*/, mount options=(rw move) -> @{MOUNTS}/*/,
mount fstype=vfat -> /boot/efi/, mount fstype=vfat -> @{efi}/,
# Allow mounting on temporary mount point # Allow mounting on temporary mount point
mount -> @{run}/udisks2/temp-mount-*/, mount -> @{run}/udisks2/temp-mount-*/,
@ -59,7 +59,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
umount @{MOUNTS}/, umount @{MOUNTS}/,
umount @{MOUNTS}/*/, umount @{MOUNTS}/*/,
umount @{run}/udisks2/temp-mount-*/, umount @{run}/udisks2/temp-mount-*/,
umount /boot/efi/, umount @{efi}/,
umount /media/cdrom@{int}/, umount /media/cdrom@{int}/,
signal receive set=int peer=@{p_systemd}, signal receive set=int peer=@{p_systemd},

13
apparmor.d/groups/gnome/gdm-generate-config
View file

@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/dconf rix, @{bin}/dconf rix,
@{bin}/install rix, @{bin}/install rix,
@{bin}/pgrep rix, @{bin}/pgrep rCx -> pgrep,
@{bin}/pkill rix, @{bin}/pkill rCx -> pgrep,
@{bin}/setpriv rix, @{bin}/setpriv rix,
@{bin}/setsid rix, @{bin}/setsid rix,
@ -48,6 +48,15 @@ profile gdm-generate-config @{exec_path} {
@{PROC}/tty/drivers r, @{PROC}/tty/drivers r,
@{PROC}/uptime r, @{PROC}/uptime r,
profile pgrep {
include <abstractions/base>
include <abstractions/app/pgrep>
@{bin}/pkill mr,
include if exists <local/gdm-generate-config_pgrep>
}
include if exists <local/gdm-generate-config> include if exists <local/gdm-generate-config>
} }

3
apparmor.d/groups/gnome/nautilus
View file

@ -81,6 +81,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
/var/cache/fontconfig/ rw, /var/cache/fontconfig/ rw,
#aa:lint ignore=too-wide
# Full access to user's data # Full access to user's data
/ r, / r,
/*/ r, /*/ r,
@ -97,7 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/** rw, owner @{tmp}/** rw,
# Silence non user's data # Silence non user's data
deny /boot/{,**} r, deny @{efi}/{,**} r,
deny /opt/{,**} r, deny /opt/{,**} r,
deny /root/{,**} r, deny /root/{,**} r,
deny /tmp/.* rw, deny /tmp/.* rw,

2
apparmor.d/groups/grub/grub-editenv
View file

@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/boot/grub/grubenv rw, @{efi}/grub/grubenv rw,
include if exists <local/grub-editenv> include if exists <local/grub-editenv>
} }

12
apparmor.d/groups/grub/grub-install
View file

@ -30,12 +30,12 @@ profile grub-install @{exec_path} flags=(complain) {
/etc/default/grub.d/{,**} r, /etc/default/grub.d/{,**} r,
/etc/default/grub r, /etc/default/grub r,
/boot/efi/ r, @{efi}/ r,
/boot/EFI/*/grubx*.efi rw, @{efi}/EFI/ r,
/boot/efi/EFI/ r, @{efi}/EFI/*/grubx*.efi rw,
/boot/efi/EFI/BOOT/{,**} rw, @{efi}/EFI/BOOT/{,**} rw,
/boot/efi/EFI/ubuntu/* w, @{efi}/EFI/ubuntu/* w,
/boot/grub/{,**} rw, @{efi}/grub/{,**} rw,
@{sys}/devices/**/hid r, @{sys}/devices/**/hid r,
@{sys}/devices/**/path r, @{sys}/devices/**/path r,

4
apparmor.d/groups/grub/grub-mkconfig
View file

@ -81,8 +81,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
/.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/fstab r,
/.zfs/snapshot/*/etc/machine-id r, /.zfs/snapshot/*/etc/machine-id r,
/boot/{,**} r, @{efi}/{,**} r,
/boot/grub/{,**} rw, @{efi}/grub/{,**} rw,
/tmp/grub-*.@{rand10}/{,**} rw, /tmp/grub-*.@{rand10}/{,**} rw,

4
apparmor.d/groups/grub/grub-mkrelpath
View file

@ -21,8 +21,8 @@ profile grub-mkrelpath @{exec_path} {
/ r, / r,
/usr/share/grub/* r, /usr/share/grub/* r,
/boot/ r, @{efi}/ r,
/boot/grub/themes/{,**} r, @{efi}/grub/themes/{,**} r,
/tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r,
/tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r,

2
apparmor.d/groups/grub/grub-multi-install
View file

@ -29,7 +29,7 @@ profile grub-multi-install @{exec_path} {
@{lib}/terminfo/x/xterm-256color r, @{lib}/terminfo/x/xterm-256color r,
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,
/boot/grub/grub.cfg rw, @{efi}/grub/grub.cfg rw,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,

6
apparmor.d/groups/grub/grub-probe
View file

@ -26,9 +26,9 @@ profile grub-probe @{exec_path} {
/usr/share/grub/* r, /usr/share/grub/* r,
/ r, / r,
/boot/ r, @{efi}/ r,
/boot/grub/ r, @{efi}/grub/ r,
/boot/grub/themes/{,**} r, @{efi}/grub/themes/{,**} r,
@{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mountinfo r,
@{PROC}/devices r, @{PROC}/devices r,

2
apparmor.d/groups/grub/grub-script-check
View file

@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/boot/grub/grub* rw, @{efi}/grub/grub* rw,
include if exists <local/grub-script-check> include if exists <local/grub-script-check>
} }

2
apparmor.d/groups/kde/dolphin
View file

@ -68,7 +68,7 @@ profile dolphin @{exec_path} {
owner @{tmp}/{,**} rw, owner @{tmp}/{,**} rw,
# Silence non user's data # Silence non user's data
deny /boot/{,**} r, deny @{efi}/{,**} r,
deny /opt/{,**} r, deny /opt/{,**} r,
deny /root/{,**} r, deny /root/{,**} r,
deny /tmp/.* rw, deny /tmp/.* rw,

2
apparmor.d/groups/kde/kioworker
View file

@ -67,7 +67,7 @@ profile kioworker @{exec_path} {
owner @{tmp}/{,**} rw, owner @{tmp}/{,**} rw,
# Silence non user's data # Silence non user's data
deny /boot/{,**} r, deny @{efi}/{,**} r,
deny /etc/{,**} r, deny /etc/{,**} r,
deny /opt/{,**} r, deny /opt/{,**} r,
deny /root/{,**} r, deny /root/{,**} r,

6
apparmor.d/groups/pacman/mkinitcpio
View file

@ -82,10 +82,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
# Manage /boot # Manage /boot
/ r, / r,
@{efi}/ r, @{efi}/ r,
@{efi}/EFI/{,**} rw,
@{efi}/@{hex32}/{,**} rw, @{efi}/@{hex32}/{,**} rw,
/boot/initramfs-*.img* rw, @{efi}/EFI/{,**} rw,
/boot/vmlinuz-* r, @{efi}/initramfs-*.img* rw,
@{efi}/vmlinuz-* r,
/usr/share/systemd/bootctl/** r, /usr/share/systemd/bootctl/** r,

2
apparmor.d/groups/pacman/pacdiff
View file

@ -38,7 +38,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
# packages files # packages files
/ r, / r,
/boot/{,**} r, @{efi}/{,**} r,
/etc/{,**} rw, /etc/{,**} rw,
/opt/{,**} r, /opt/{,**} r,
/srv/{,**} r, /srv/{,**} r,

3
apparmor.d/groups/pacman/pacman
View file

@ -116,9 +116,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
/**/ r, /**/ r,
# Install/update packages # Install/update packages
#aa:lint ignore=too-wide
/ r, / r,
/*{,/} rw, /*{,/} rw,
/boot/** rwl -> /boot/**, @{efi}/** rwl -> @{efi}/**,
/etc/** rwl -> /etc/**, /etc/** rwl -> /etc/**,
/opt/** rwl -> /opt/**, /opt/** rwl -> /opt/**,
/srv/** rwl -> /srv/**, /srv/** rwl -> /srv/**,

10
apparmor.d/groups/pacman/pacman-hook-mkinitcpio
View file

@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
/etc/mkinitcpio.d/*.preset{,.pacsave} rw, /etc/mkinitcpio.d/*.preset{,.pacsave} rw,
/ r, / r,
/boot/ r, @{efi}/ r,
/{boot,efi}/EFI/boot/boot*.efi rw, @{efi}/EFI/boot/boot*.efi rw,
/boot/initramfs-*-fallback.img rw, @{efi}/initramfs-*-fallback.img rw,
/boot/initramfs-*.img rw, @{efi}/initramfs-*.img rw,
/boot/vmlinuz-* rw, @{efi}/vmlinuz-* rw,
/dev/tty rw, /dev/tty rw,
owner /dev/pts/@{int} rw, owner /dev/pts/@{int} rw,

6
apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
View file

@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
/usr/share/mkinitcpio/*.preset r, /usr/share/mkinitcpio/*.preset r,
/etc/mkinitcpio.d/*.preset rw, /etc/mkinitcpio.d/*.preset rw,
/boot/vmlinuz-* rw, @{efi}/vmlinuz-* rw,
/boot/initramfs-*.img rw, @{efi}/initramfs-*.img rw,
/boot/initramfs-*-fallback.img rw, @{efi}/initramfs-*-fallback.img rw,
/dev/tty rw, /dev/tty rw,

2
apparmor.d/groups/snap/snap-update-ns
View file

@ -18,7 +18,7 @@ profile snap-update-ns @{exec_path} {
network netlink raw, network netlink raw,
mount -> /boot/, mount -> @{efi}/,
mount -> /snap/**, mount -> /snap/**,
mount -> /tmp/.snap/**, mount -> /tmp/.snap/**,
mount -> /usr/**, mount -> /usr/**,

4
apparmor.d/groups/snap/snapd
View file

@ -133,8 +133,8 @@ profile snapd @{exec_path} {
/tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-mountpoint-@{int}/{,**} rw,
/tmp/syscheck-squashfs-@{int} rw, /tmp/syscheck-squashfs-@{int} rw,
/boot/ r, @{efi}/ r,
/boot/grub/grubenv r, @{efi}/grub/grubenv r,
/ r, / r,
/home/ r, /home/ r,

3
apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto
View file

@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/ r, / r,
/boot/ r, @{efi}/ r,
/efi/ r,
/etc/fstab r, /etc/fstab r,
/usr/ r, /usr/ r,

4
apparmor.d/groups/systemd-service/grub-common.service
View file

@ -19,8 +19,8 @@ profile grub-common.service {
@{bin}/mkdir ix, @{bin}/mkdir ix,
@{bin}/rm ix, @{bin}/rm ix,
/boot/grub/ w, @{efi}/grub/ w,
/boot/grub/grubenv rw, @{efi}/grub/grubenv rw,
include if exists <local/grub-common.service> include if exists <local/grub-common.service>
} }

2
apparmor.d/groups/ubuntu/update-manager
View file

@ -63,7 +63,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
/etc/ubuntu-advantage/uaclient.conf r, /etc/ubuntu-advantage/uaclient.conf r,
/etc/update-manager/{,**} r, /etc/update-manager/{,**} r,
/boot/ r, @{efi}/ r,
/var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.list r,
/var/lib/dpkg/updates/ r, /var/lib/dpkg/updates/ r,

2
apparmor.d/groups/utils/fsck
View file

@ -26,7 +26,7 @@ profile fsck @{exec_path} flags=(attach_disconnected) {
# When a mount dir is passed to fsck as an argument. # When a mount dir is passed to fsck as an argument.
@{HOME}/ r, @{HOME}/ r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
/boot/ r, @{efi}/ r,
@{run}/mount/utab r, @{run}/mount/utab r,
@{run}/systemd/fsck.progress rw, @{run}/systemd/fsck.progress rw,

3
apparmor.d/groups/utils/fstrim
View file

@ -22,8 +22,7 @@ profile fstrim @{exec_path} flags=(attach_disconnected) {
@{MOUNTDIRS}/ r, @{MOUNTDIRS}/ r,
@{MOUNTS}/ r, @{MOUNTS}/ r,
/ r, / r,
/boot/ r, @{efi}/ r,
/boot/efi/ r,
/var/ r, /var/ r,
@{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mountinfo r,

2
apparmor.d/groups/xfce/thunar
View file

@ -58,7 +58,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
# Silence non user's data # Silence non user's data
deny /boot/{,**} r, deny @{efi}/{,**} r,
deny /opt/{,**} r, deny /opt/{,**} r,
deny /root/{,**} r, deny /root/{,**} r,
deny /tmp/.* rw, deny /tmp/.* rw,

2
apparmor.d/profiles-a-f/baobab
View file

@ -23,7 +23,7 @@ profile baobab @{exec_path} {
/ r, / r,
/** r, /** r,
deny /boot/{,**} r, deny @{efi}/{,**} r,
include if exists <local/baobab> include if exists <local/baobab>
} }

1
apparmor.d/profiles-a-f/deluser
View file

@ -31,6 +31,7 @@ profile deluser @{exec_path} {
owner /etc/shadow r, owner /etc/shadow r,
#aa:lint ignore=too-wide
# This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user
# that's going to be deleted. Basically it scans all the files in the system in each dir and look # that's going to be deleted. Basically it scans all the files in the system in each dir and look
# for matches. This also includes files required by the "--remove-home" flag as well as the # for matches. This also includes files required by the "--remove-home" flag as well as the

2
apparmor.d/profiles-a-f/dkms
View file

@ -117,7 +117,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{lib}/modules/*/modules.* rw, @{lib}/modules/*/modules.* rw,
/var/lib/dkms/**/module/*.ko* r, /var/lib/dkms/**/module/*.ko* r,
owner /boot/System.map-* r, owner @{efi}/System.map-* r,
owner @{tmp}/tmp.@{rand10} r, owner @{tmp}/tmp.@{rand10} r,

2
apparmor.d/profiles-a-f/dlocate
View file

@ -55,7 +55,7 @@ profile dlocate @{exec_path} {
@{bin}/md5sum mr, @{bin}/md5sum mr,
# For the md5 check # For the md5 check
/boot/** r, @{efi}/** r,
/usr/** r, /usr/** r,
include if exists <local/dlocate_md5sum> include if exists <local/dlocate_md5sum>

1
apparmor.d/profiles-a-f/etckeeper
View file

@ -48,6 +48,7 @@ profile etckeeper @{exec_path} {
/etc/etckeeper/*.d/* rix, /etc/etckeeper/*.d/* rix,
/etc/etckeeper/daily rix, /etc/etckeeper/daily rix,
#aa:lint ignore=too-wide
/etc/ rw, /etc/ rw,
/etc/** rwkl -> /etc/**, /etc/** rwkl -> /etc/**,

4
apparmor.d/profiles-g-l/gpartedbin
View file

@ -92,7 +92,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) {
mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/,
mount /dev/{s,v}d[a-z]*@{int} -> /boot/, mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/,
mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/,
mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/,
@ -108,7 +108,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) {
umount /tmp/gparted-*/, umount /tmp/gparted-*/,
umount /boot/, umount @{efi}/,
umount @{MOUNTS}/, umount @{MOUNTS}/,
umount @{MOUNTS}/*/, umount @{MOUNTS}/*/,

2
apparmor.d/profiles-g-l/initd-kexec-load
View file

@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} {
@{sys}/kernel/kexec_loaded r, @{sys}/kernel/kexec_loaded r,
owner /boot/grub/{grub.cfg,grubenv} r, owner @{efi}/grub/{grub.cfg,grubenv} r,
@{PROC}/cmdline r, @{PROC}/cmdline r,

2
apparmor.d/profiles-g-l/ioping
View file

@ -35,7 +35,7 @@ profile ioping @{exec_path} {
/bin/* r, /bin/* r,
/sbin/* r, /sbin/* r,
/etc/** r, /etc/** r,
/boot/** r, @{efi}/** r,
/opt/** r, /opt/** r,
/var/** r, /var/** r,
@{MOUNTS}/** r, @{MOUNTS}/** r,

2
apparmor.d/profiles-g-l/kconfig-hardened-check
View file

@ -19,7 +19,7 @@ profile kconfig-hardened-check @{exec_path} {
# The usual kernel config locations # The usual kernel config locations
/boot/config-* r, @{efi}/config-* r,
@{PROC}/config.gz r, @{PROC}/config.gz r,
# This is for kernels, which are built manually # This is for kernels, which are built manually

2
apparmor.d/profiles-g-l/kernel
View file

@ -52,7 +52,7 @@ profile kernel @{exec_path} {
# For shell pwd # For shell pwd
/ r, / r,
/boot/ r, @{efi}/ r,
/etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/ r,
/etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw,

11
apparmor.d/profiles-g-l/kernel-install
View file

@ -46,13 +46,10 @@ profile kernel-install @{exec_path} {
@{efi}/@{hex32}/** rw, @{efi}/@{hex32}/** rw,
@{efi}/loader/entries.srel r, @{efi}/loader/entries.srel r,
owner @{efi}/{vmlinuz,initrd.img}-* r,
owner /boot/{vmlinuz,initrd.img}-* r, owner @{efi}/loader/ rw,
owner /boot/[a-f0-9]*/*/ rw, owner @{efi}/loader/entries/ rw,
owner /boot/[a-f0-9]*/*/{linux,initrd} w, owner @{efi}/loader/entries/*.conf w,
owner /boot/loader/ rw,
owner /boot/loader/entries/ rw,
owner /boot/loader/entries/*.conf w,
owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, owner /tmp/kernel-install.staging.@{rand6}/{,**} rw,

2
apparmor.d/profiles-g-l/kexec
View file

@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) {
@{exec_path} mr, @{exec_path} mr,
owner /boot/{initrd.img,vmlinuz}-* r, owner @{efi}/{initrd.img,vmlinuz}-* r,
@{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/ r,
@{sys}/firmware/memmap/@{int}/{start,end,type} r, @{sys}/firmware/memmap/@{int}/{start,end,type} r,

2
apparmor.d/profiles-g-l/kmod
View file

@ -44,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/*modules*/{,**} rw,
owner /var/tmp/dracut.*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw,
owner /boot/System.map-* r, owner @{efi}/System.map-* r,
owner @{tmp}/mkinitcpio.*/{,**} rw, owner @{tmp}/mkinitcpio.*/{,**} rw,
# For local kernel build # For local kernel build

2
apparmor.d/profiles-g-l/linux-version
View file

@ -15,7 +15,7 @@ profile linux-version @{exec_path} {
@{exec_path} r, @{exec_path} r,
/boot/ r, @{efi}/ r,
include if exists <local/linux-version> include if exists <local/linux-version>
} }

6
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -87,9 +87,9 @@ profile mkinitramfs @{exec_path} {
/etc/modprobe.d/{,*.conf} r, /etc/modprobe.d/{,*.conf} r,
/boot/ r, @{efi}/ r,
owner /boot/config-* r, owner @{efi}/config-* r,
owner /boot/initrd.img-*.new rw, owner @{efi}/initrd.img-*.new rw,
owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initramfs-tools/** rw,
owner /var/lib/kdump/initrd.* rw, owner /var/lib/kdump/initrd.* rw,

6
apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
View file

@ -26,9 +26,9 @@ profile needrestart-iucode-scan-versions @{exec_path} {
/etc/default/intel-microcode r, /etc/default/intel-microcode r,
/etc/needrestart/iucode.sh r, /etc/needrestart/iucode.sh r,
/boot/amd-ucode.img r, @{efi}/amd-ucode.img r,
/boot/intel-ucode.img r, @{efi}/intel-ucode.img r,
/boot/early_ucode.cpio r, @{efi}/early_ucode.cpio r,
@{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r,

5
apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version
View file

@ -26,8 +26,9 @@ profile needrestart-vmlinuz-get-version @{exec_path} {
@{bin}/which{,.debianutils} rPx, @{bin}/which{,.debianutils} rPx,
@{bin}/xz rix, @{bin}/xz rix,
/boot/intel-ucode.img r, @{efi}/amd-ucode.img r,
/boot/vmlinuz* r, @{efi}/intel-ucode.img r,
@{efi}/vmlinuz* r,
owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand10} rw,

6
apparmor.d/profiles-m-r/os-prober
View file

@ -63,9 +63,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
@{MOUNTS}/ r, @{MOUNTS}/ r,
/ r, / r,
/boot/{efi/,} r, @{efi}/ r,
/boot/{efi/,}EFI/ r, @{efi}/EFI/ r,
/boot/{efi/,}EFI/**/ r, @{efi}/EFI/**/ r,
owner @{tmp}/os-prober.*/{,**} rw, owner @{tmp}/os-prober.*/{,**} rw,

3
apparmor.d/profiles-m-r/packagekitd
View file

@ -74,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
@{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
/usr/share/libalpm/scripts/* rPx, /usr/share/libalpm/scripts/* rPx,
#aa:lint ignore=too-wide
# Install/update packages # Install/update packages
/ r, / r,
/*{,/} rw, /*{,/} rw,
/boot/** rwl -> /boot/**, @{efi}/** rwl -> @{efi}/**,
/etc/** rwl -> /etc/**, /etc/** rwl -> /etc/**,
/opt/** rwl -> /opt/**, /opt/** rwl -> /opt/**,
/srv/** rwl -> /srv/**, /srv/** rwl -> /srv/**,

6
apparmor.d/profiles-s-z/spectre-meltdown-checker
View file

@ -89,8 +89,10 @@ profile spectre-meltdown-checker @{exec_path} {
owner /dev/cpu/@{int}/msr rw, owner /dev/cpu/@{int}/msr rw,
owner /dev/kmsg r, owner /dev/kmsg r,
/boot/ r, @{efi}/ r,
/boot/{config,vmlinuz,System.map}-* r, @{efi}/config r,
@{efi}/System.map-* r,
@{efi}/vmlinuz-* r,
@{sys}/devices/system/cpu/vulnerabilities/* r, @{sys}/devices/system/cpu/vulnerabilities/* r,
@{sys}/module/kvm_intel/parameters/ept r, @{sys}/module/kvm_intel/parameters/ept r,

2
apparmor.d/profiles-s-z/ucf
View file

@ -44,7 +44,7 @@ profile ucf @{exec_path} {
/usr/share/** r, /usr/share/** r,
# For writing new config files # For writing new config files
/etc/** rw, /etc/** rw, #aa:lint ignore=too-wide
# For shell pwd # For shell pwd
/ r, / r,

4
apparmor.d/profiles-s-z/unmkinitramfs
View file

@ -31,8 +31,8 @@ profile unmkinitramfs @{exec_path} {
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/xzcat rix, @{bin}/xzcat rix,
/boot/ r, @{efi}/ r,
owner /boot/initrd.img-* r, owner @{efi}/initrd.img-* r,
/tmp/ r, /tmp/ r,
owner @{tmp}/initrd.img-* r, owner @{tmp}/initrd.img-* r,
/mnt/ r, /mnt/ r,

6
apparmor.d/profiles-s-z/update-initramfs
View file

@ -50,9 +50,9 @@ profile update-initramfs @{exec_path} {
owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
owner /boot/ r, owner @{efi}/ r,
owner /boot/initrd.img-* rw, owner @{efi}/initrd.img-* rw,
owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*,
include if exists <local/update-initramfs> include if exists <local/update-initramfs>
} }

6
apparmor.d/profiles-s-z/updatedb-mlocate
View file

@ -24,8 +24,8 @@ profile updatedb-mlocate @{exec_path} {
# For shell pwd # For shell pwd
/ r, / r,
/boot/ r, @{efi}/ r,
/boot/**/ r, @{efi}/**/ r,
/home/ r, /home/ r,
@{HOME}/ r, @{HOME}/ r,
@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} {
/srv/**/ r, /srv/**/ r,
# Silence the noise # Silence the noise
deny /efi/ r, deny @{efi}/ r,
deny /hugepages/ r, deny /hugepages/ r,
deny /lost+found/ r, deny /lost+found/ r,
deny /mnt/ r, deny /mnt/ r,

64
tests/check.sh
View file

@ -17,14 +17,14 @@ readonly RES MAX_JOBS APPARMORD="apparmor.d"
readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m"
_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; }
_warn() { _warn() {
local type="$1" file="$2" local name="$1" file="$2"
shift 2 shift 2
printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*"
} }
_err() { _err() {
local type="$1" file="$2" local name="$1" file="$2"
shift 2 shift 2
printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*"
echo "true" >"$RES" echo "true" >"$RES"
} }
@ -160,24 +160,24 @@ _check_abstractions() {
local absname local absname
for absname in "${ABS_DANGEROUS[@]}"; do for absname in "${ABS_DANGEROUS[@]}"; do
if [[ "$line" == *"<$ABS/$absname>"* ]]; then if [[ "$line" == *"<$ABS/$absname>"* ]]; then
_err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'"
fi fi
done done
for absname in "${!ABS_DEPRECATED[@]}"; do for absname in "${!ABS_DEPRECATED[@]}"; do
if [[ "$line" == *"<$ABS/$absname>"* ]]; then if [[ "$line" == *"<$ABS/$absname>"* ]]; then
_err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead"
fi fi
done done
} }
readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}')
_check_directory_mark() { _check_directory_mark() {
_is_enabled directory_mark || return 0 _is_enabled directory-mark || return 0
for pattern in "${DIRECTORIES[@]}"; do for pattern in "${DIRECTORIES[@]}"; do
if [[ "$line" == *"$pattern"* ]]; then if [[ "$line" == *"$pattern"* ]]; then
[[ "$line" == *'='* ]] && continue [[ "$line" == *'='* ]] && continue
if [[ ! "$line" == *"$pattern/"* ]]; then if [[ ! "$line" == *"$pattern/"* ]]; then
_err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'"
fi fi
fi fi
done done
@ -195,7 +195,7 @@ _check_equivalent() {
for prgmname in "${!EQUIVALENTS[@]}"; do for prgmname in "${!EQUIVALENTS[@]}"; do
if [[ "$line" == *"/$prgmname "* ]]; then if [[ "$line" == *"/$prgmname "* ]]; then
if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then
_err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'"
fi fi
fi fi
done done
@ -203,10 +203,10 @@ _check_equivalent() {
readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**')
_check_too_wide() { _check_too_wide() {
_is_enabled too_wide || return 0 _is_enabled too-wide || return 0
for pattern in "${TOOWIDE[@]}"; do for pattern in "${TOOWIDE[@]}"; do
if [[ "$line" == *" $pattern "* ]]; then if [[ "$line" == *" $pattern "* ]]; then
_err security "$file:$line_number" "rule too wide: '$pattern'" _warn too-wide "$file:$line_number" "rule too wide: '$pattern'"
fi fi
done done
} }
@ -227,19 +227,19 @@ _check_transition() {
_is_enabled transition || return 0 _is_enabled transition || return 0
for prgmname in "${!TRANSITION_MUST_CI[@]}"; do for prgmname in "${!TRANSITION_MUST_CI[@]}"; do
if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then
_err security "$file:$line_number" \ _err transition "$file:$line_number" \
"@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'"
fi fi
done done
for prgmname in "${!TRANSITION_MUST_PC[@]}"; do for prgmname in "${!TRANSITION_MUST_PC[@]}"; do
if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then
_err security "$file:$line_number" \ _err transition "$file:$line_number" \
"@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'"
fi fi
done done
for prgmname in "${!TRANSITION_MUST_C[@]}"; do for prgmname in "${!TRANSITION_MUST_C[@]}"; do
if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then
_warn security "$file:$line_number" \ _warn transition "$file:$line_number" \
"@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'"
fi fi
done done
@ -255,7 +255,7 @@ _check_useless() {
_is_enabled useless || return 0 _is_enabled useless || return 0
for rule in "${!USELESS[@]}"; do for rule in "${!USELESS[@]}"; do
if [[ "$line" == *"${USELESS[$rule]}"* ]]; then if [[ "$line" == *"${USELESS[$rule]}"* ]]; then
_err issue "$file:$line_number" "rule already included in the base abstraction, remove it" _err useless "$file:$line_number" "rule already included in the base abstraction, remove it"
fi fi
done done
} }
@ -279,6 +279,8 @@ declare -A TUNABLES=(
["(x86_64|amd64|i386|i686)"]='@{arch}' ["(x86_64|amd64|i386|i686)"]='@{arch}'
["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}'
["/usr/etc/"]='@{etc_ro}/' ["/usr/etc/"]='@{etc_ro}/'
["/boot/(|efi/)"]="@{efi}/"
["/efi/"]="@{efi}/"
["/var/run/"]='@{run}/' ["/var/run/"]='@{run}/'
["/run/"]='@{run}/' ["/run/"]='@{run}/'
["user/[0-9]*/"]='user/@{uid}/' ["user/[0-9]*/"]='user/@{uid}/'
@ -300,7 +302,7 @@ _check_tunables() {
[[ "$rpattern" == /* ]] && rpattern=" $rpattern" [[ "$rpattern" == /* ]] && rpattern=" $rpattern"
if [[ "$line" =~ $rpattern ]]; then if [[ "$line" =~ $rpattern ]]; then
match="${BASH_REMATCH[0]}" match="${BASH_REMATCH[0]}"
_err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match"
fi fi
done done
} }
@ -318,7 +320,7 @@ _check_abi() {
_res_abi() { _res_abi() {
_is_enabled abi || return 0 _is_enabled abi || return 0
if ! $RES_ABI; then if ! $RES_ABI; then
_err guideline "$file" "missing 'abi <abi/4.0>,'" _err abi "$file" "missing 'abi <abi/4.0>,'"
fi fi
} }
@ -332,7 +334,7 @@ _check_include() {
_res_include() { _res_include() {
_is_enabled include || return 0 _is_enabled include || return 0
if ! $RES_INCLUDE; then if ! $RES_INCLUDE; then
_err guideline "$file" "missing '$include'" _err include "$file" "missing '$include'"
fi fi
} }
@ -346,7 +348,7 @@ _check_profile() {
_res_profile() { _res_profile() {
_is_enabled profile || return 0 _is_enabled profile || return 0
if ! $RES_PROFILE; then if ! $RES_PROFILE; then
_err guideline "$file" "missing profile name: 'profile $name'" _err profile "$file" "missing profile name: 'profile $name'"
fi fi
} }
@ -373,21 +375,21 @@ _res_header() {
if ${_RES_HEADER[$idx]}; then if ${_RES_HEADER[$idx]}; then
continue continue
fi fi
_err style "$file" "missing header: '${HEADERS[$idx]}'" _err header "$file" "missing header: '${HEADERS[$idx]}'"
done done
} }
_check_tabs() { _check_tabs() {
_is_enabled tabs || return 0 _is_enabled tabs || return 0
if [[ "$line" =~ $'\t' ]]; then if [[ "$line" =~ $'\t' ]]; then
_err style "$file:$line_number" "tabs are not allowed" _err tabs "$file:$line_number" "tabs are not allowed"
fi fi
} }
_check_trailing() { _check_trailing() {
_is_enabled trailing || return 0 _is_enabled trailing || return 0
if [[ "$line" =~ [[:space:]]+$ ]]; then if [[ "$line" =~ [[:space:]]+$ ]]; then
_err style "$file:$line_number" "line has trailing whitespace" _err trailing "$file:$line_number" "line has trailing whitespace"
fi fi
} }
@ -404,7 +406,7 @@ _check_indentation() {
local leading_spaces="${line%%[! ]*}" local leading_spaces="${line%%[! ]*}"
local num_spaces=${#leading_spaces} local num_spaces=${#leading_spaces}
if ((num_spaces != 2)); then if ((num_spaces != 2)); then
_err style "$file:$line_number" "profile must have a two-space indentation" _err indentation "$file:$line_number" "profile must have a two-space indentation"
fi fi
_CHECK_FIRST_LINE_AFTER_PROFILE=false _CHECK_FIRST_LINE_AFTER_PROFILE=false
@ -426,7 +428,7 @@ _check_indentation() {
done done
if ! $ok; then if ! $ok; then
_err style "$file:$line_number" "invalid indentation" _err indentation "$file:$line_number" "invalid indentation"
fi fi
fi fi
fi fi
@ -457,7 +459,7 @@ _res_subprofiles() {
if [[ $msg == true ]]; then if [[ $msg == true ]]; then
continue continue
fi fi
_err guideline "$file" "$msg" _err subprofiles "$file" "$msg"
done done
} }
@ -472,7 +474,7 @@ _check_vim() {
_res_vim() { _res_vim() {
_is_enabled vim || return 0 _is_enabled vim || return 0
if ! $RES_VIM; then if ! $RES_VIM; then
_err style "$file" "missing vim syntax: '$VIM_SYNTAX'" _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'"
fi fi
} }
@ -489,7 +491,7 @@ check_sbin() {
cut -d: -f1,2 cut -d: -f1,2
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do
_err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'"
done done
) & ) &
_wait jobs _wait jobs
@ -504,7 +506,7 @@ check_sbin() {
while read -r match; do while read -r match; do
name="${match/\@\{sbin\}\//}" name="${match/\@\{sbin\}\//}"
if ! _in_array "$name" "${sbin[@]}"; then if ! _in_array "$name" "${sbin[@]}"; then
_err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list"
fi fi
done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}")
) & ) &
@ -521,7 +523,7 @@ check_profiles() {
) )
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent useless transition tunables abstractions directory-mark equivalent too-wide useless transition tunables
abi include profile header tabs trailing indentation subprofiles vim abi include profile header tabs trailing indentation subprofiles vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do
@ -541,7 +543,7 @@ check_abstractions() {
mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true)
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent too_wide tunables abstractions directory-mark equivalent too-wide tunables
abi include header tabs trailing indentation vim abi include header tabs trailing indentation vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do
@ -562,7 +564,7 @@ check_abstractions() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent too_wide tunables abstractions directory-mark equivalent too-wide tunables
header tabs trailing indentation vim header tabs trailing indentation vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do