From 24056c8cd1f179b58d70f8cdbf29f2414faf7097 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 12 Jun 2022 22:56:27 +0100 Subject: [PATCH] feat(profiles): ensure bin, sbin compatibility for (u)mount. --- apparmor.d/profiles-m-r/mount | 2 +- apparmor.d/profiles-m-r/mount-cifs | 5 +++-- apparmor.d/profiles-m-r/mount-nfs | 13 +++++++------ apparmor.d/profiles-s-z/spectre-meltdown-checker | 2 +- apparmor.d/profiles-s-z/umount | 6 +++--- 5 files changed, 15 insertions(+), 13 deletions(-) diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount index f732aa98f..de1720002 100644 --- a/apparmor.d/profiles-m-r/mount +++ b/apparmor.d/profiles-m-r/mount @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/mount +@{exec_path} = /{usr/,}{s,}bin/mount profile mount @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs index 3724dd4b6..1ee7662b2 100644 --- a/apparmor.d/profiles-m-r/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020-2021 Mikhail Morfikov +# Copyright (C) 2020-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}sbin/mount.cifs +@{exec_path} = /{usr/,}{s,}bin/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs index 1983e1bf8..1e9a6fbf1 100644 --- a/apparmor.d/profiles-m-r/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -1,12 +1,13 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2019-2022 Mikhail Morfikov +# Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = /{usr/,}sbin/mount.nfs +@{exec_path} = /{usr/,}{s,}bin/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -26,11 +27,11 @@ profile mount-nfs @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}sbin/start-statd rix, - /{usr/,}bin/flock rix, + /{usr/,}{s,}bin/start-statd rix, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/flock rix, - /usr/bin/systemctl rPx -> child-systemctl, + /usr/bin/systemctl rPx -> child-systemctl, /etc/fstab r, /etc/netconfig r, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 5ff0cce5f..b2fdf5dfb 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -57,7 +57,7 @@ profile spectre-meltdown-checker @{exec_path} { /{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}{s,}bin/iucode_tool rix, /{usr/,}bin/dmesg rix, - /{usr/,}bin/mount rix, + /{usr/,}{s,}bin/mount rix, /{usr/,}bin/find rix, /{usr/,}bin/xargs rix, /{usr/,}bin/readlink rix, diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount index 109a4eb4c..89c238b54 100644 --- a/apparmor.d/profiles-s-z/umount +++ b/apparmor.d/profiles-s-z/umount @@ -7,7 +7,7 @@ abi , include -@{exec_path} = /{usr/,}bin/umount +@{exec_path} = /{usr/,}{s,}bin/umount profile umount @{exec_path} flags=(complain) { include include @@ -26,8 +26,8 @@ profile umount @{exec_path} flags=(complain) { @{exec_path} mr, - /{usr/,}sbin/umount.* rPx, - /{usr/,}sbin/mount.* rPx, + /{usr/,}{s,}bin/umount.* rPx, + /{usr/,}{s,}bin/mount.* rPx, # Mount points @{HOME}/ r,