felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (3)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:09:55 +01:00
parent 2eed3b725f
commit 27daa7c9bb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
355 changed files with 1473 additions and 1472 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/pacman/arch-audit
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/arch-audit
@{exec_path} = @{bin}/arch-audit
profile arch-audit @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

20
apparmor.d/groups/pacman/archlinux-java
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/archlinux-java
@{exec_path} = @{bin}/archlinux-java
profile archlinux-java @{exec_path} {
include <abstractions/base>
@ -14,16 +14,16 @@ profile archlinux-java @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/basename rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/id rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/unlink rix,
@{bin}/basename rix,
@{bin}/bash rix,
@{bin}/dirname rix,
@{bin}/id rix,
@{bin}/ln rix,
@{bin}/readlink rix,
@{bin}/unlink rix,
/{usr/,}lib/jvm/default w,
/{usr/,}lib/jvm/default-runtime w,
@{lib}/jvm/default w,
@{lib}/jvm/default-runtime w,
/dev/tty rw,

14
apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/archlinux-keyring-wkd-sync
@{exec_path} = @{bin}/archlinux-keyring-wkd-sync
profile archlinux-keyring-wkd-sync @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -20,12 +20,12 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/dirmngr rix,
/{usr/,}bin/gpg{,2} rix,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/pacman-conf rix,
@{bin}/{m,g,}awk rix,
@{bin}/bash rix,
@{bin}/dirmngr rix,
@{bin}/gpg{,2} rix,
@{bin}/gpg-agent rix,
@{bin}/pacman-conf rix,
/etc/pacman.conf r,
/etc/pacman.d/*-mirrorlist r,

36
apparmor.d/groups/pacman/aurpublish
View file

@ -23,24 +23,24 @@ profile aurpublish @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/curl rix,
/{usr/,}bin/date rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/git rPx,
/{usr/,}bin/gpg{,2} rPx,
/{usr/,}bin/grep rix,
/{usr/,}bin/makepkg rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/nproc rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sha512sum rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/wc rix,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/curl rix,
@{bin}/date rix,
@{bin}/gettext rix,
@{bin}/git rPx,
@{bin}/gpg{,2} rPx,
@{bin}/grep rix,
@{bin}/makepkg rix,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/nproc rix,
@{bin}/rm rix,
@{bin}/sha512sum rix,
@{bin}/tput rix,
@{bin}/wc rix,
/usr/share/makepkg/{,**} r,
/usr/share/terminfo/x/xterm-256color r,

104
apparmor.d/groups/pacman/mkinitcpio
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/mkinitcpio
@{exec_path} = @{bin}/mkinitcpio
profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -21,54 +21,54 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
@{exec_path} rmix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/{,ba}sh rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/bsdtar rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/fc-match rix,
/{usr/,}bin/find rix,
/{usr/,}bin/findmnt rPx,
/{usr/,}bin/fsck rix,
/{usr/,}bin/getent rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/hexdump rix,
/{usr/,}bin/install rix,
/{usr/,}bin/ldd rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/loadkeys rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/od rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/realpath rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/sync rix,
/{usr/,}bin/tee rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/zcat rix,
/{usr/,}bin/zstd rix,
@{bin}/{,ba}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/bsdtar rix,
@{bin}/cat rix,
@{bin}/cp rix,
@{bin}/dd rix,
@{bin}/dirname rix,
@{bin}/fc-match rix,
@{bin}/find rix,
@{bin}/findmnt rPx,
@{bin}/fsck rix,
@{bin}/getent rix,
@{bin}/grep rix,
@{bin}/gzip rix,
@{bin}/hexdump rix,
@{bin}/install rix,
@{bin}/ldconfig rix,
@{bin}/ldd rix,
@{bin}/ln rix,
@{bin}/loadkeys rix,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/od rix,
@{bin}/readlink rix,
@{bin}/realpath rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/stat rix,
@{bin}/sync rix,
@{bin}/tee rix,
@{bin}/touch rix,
@{bin}/tput rix,
@{bin}/uname rix,
@{bin}/xargs rix,
@{bin}/xz rix,
@{bin}/zcat rix,
@{bin}/zstd rix,
/{usr/,}bin/{depmod,insmod} rPx,
/{usr/,}bin/{kmod,lsmod} rPx,
/{usr/,}bin/{modinfo,rmmod} rPx,
/{usr/,}bin/modprobe rPx,
/{usr/,}bin/plymouth rPx,
/{usr/,}bin/plymouth-set-default-theme rPx,
@{bin}/{depmod,insmod} rPx,
@{bin}/{kmod,lsmod} rPx,
@{bin}/{modinfo,rmmod} rPx,
@{bin}/modprobe rPx,
@{bin}/plymouth rPx,
@{bin}/plymouth-set-default-theme rPx,
/{usr/,}lib/initcpio/busybox rix,
/{usr/,}lib{,32,64}/ld-*.so* rix,
@{lib}/initcpio/busybox rix,
@{lib}/ld-*.so* rix,
/etc/fstab r,
/etc/initcpio/{,**} r,
@ -88,11 +88,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
# Can copy any program to the initframs
/{usr/,}{local/,}{s,}bin/ r,
/{usr/,}bin/[a-z0-9]* mr,
/{usr/,}lib/ r,
/{usr/,}lib/plymouth/plymouthd-* mr,
/{usr/,}lib/systemd/{,**} mr,
/{usr/,}lib/udev/[a-z0-9]* mr,
@{bin}/[a-z0-9]* mr,
@{lib}/ r,
@{lib}/plymouth/plymouthd-* mr,
@{lib}/systemd/{,**} mr,
@{lib}/udev/[a-z0-9]* mr,
# Manage /boot
/ r,

24
apparmor.d/groups/pacman/paccache
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/paccache
@{exec_path} = @{bin}/paccache
profile paccache @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -16,17 +16,17 @@ profile paccache @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/pacman rPx,
/{usr/,}bin/pacman-conf rPx,
/{usr/,}bin/pacsort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/xargs rix,
@{bin}/{m,g,}awk rix,
@{bin}/bash rix,
@{bin}/cat rix,
@{bin}/gettext rix,
@{bin}/pacman rPx,
@{bin}/pacman-conf rPx,
@{bin}/pacsort rix,
@{bin}/rm rix,
@{bin}/stat rix,
@{bin}/tput rix,
@{bin}/xargs rix,
/usr/share/makepkg/util/*.sh r,
/usr/share/terminfo/x/xterm-256color r,

28
apparmor.d/groups/pacman/pacdiff
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pacdiff
@{exec_path} = @{bin}/pacdiff
profile pacdiff @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
@ -18,19 +18,19 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/find rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/locate rix,
/{usr/,}bin/pacman rix,
/{usr/,}bin/pacman-conf rPx,
/{usr/,}bin/pacsort rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/vim rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{m,g,}awk rix,
@{bin}/cat rix,
@{bin}/cmp rix,
@{bin}/find rix,
@{bin}/locate rix,
@{bin}/pacman rix,
@{bin}/pacman-conf rPx,
@{bin}/pacsort rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/tput rix,
@{bin}/vim rix,
# packages files
/ r,

136
apparmor.d/groups/pacman/pacman
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pacman
@{exec_path} = @{bin}/pacman
profile pacman @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -45,70 +45,70 @@ profile pacman @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/gpgconf rCx -> gpg,
/{usr/,}bin/gpgsm rCx -> gpg,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
/{usr/,}bin/sync mrix,
@{bin}/sync mrix,
# Pacman hooks & install scripts
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/{,ba}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chgrp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/dot rix,
/{usr/,}bin/env rix,
/{usr/,}bin/filecap rix,
/{usr/,}bin/find rix,
/{usr/,}bin/gdbus rix,
/{usr/,}bin/getent rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/ghc-pkg-* rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/iscsi-iname rix,
/{usr/,}bin/killall rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/pkill rix,
/{usr/,}bin/pwd rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/setcap rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/vercmp rix,
/{usr/,}bin/xmlcatalog rix,
/{usr/,}lib/ghc-*/bin/ghc-pkg rix,
/{usr/,}bin/appstreamcli rPx,
/{usr/,}bin/arch-audit rPx,
/{usr/,}bin/archlinux-java rPx,
/{usr/,}bin/bootctl rPx,
/{usr/,}bin/dconf rPx,
/{usr/,}bin/fc-cache{,-32} rPx,
/{usr/,}bin/gdk-pixbuf-query-loaders rPx,
/{usr/,}bin/gio-querymodules rPx,
/{usr/,}bin/glib-compile-schemas rPx,
/{usr/,}bin/groupadd rPx,
/{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
/{usr/,}bin/install-catalog rPx,
/{usr/,}bin/install-info rPx,
/{usr/,}bin/journalctl rPx,
/{usr/,}bin/locale-gen rPx,
/{usr/,}bin/mkinitcpio rPx,
/{usr/,}bin/pacdiff rPx,
/{usr/,}bin/pacman-key rPx,
/{usr/,}bin/sbctl rPx,
/{usr/,}bin/sysctl rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-* rPx,
/{usr/,}bin/update-ca-trust rPx,
/{usr/,}bin/update-desktop-database rPx,
/{usr/,}bin/update-mime-database rPx,
/{usr/,}lib/systemd/systemd-* rPx,
/{usr/,}lib/vlc/vlc-cache-gen rPx,
@{bin}/{,ba}sh rix,
@{bin}/appstreamcli rPx,
@{bin}/arch-audit rPx,
@{bin}/archlinux-java rPx,
@{bin}/bootctl rPx,
@{bin}/cat rix,
@{bin}/chgrp rix,
@{bin}/chmod rix,
@{bin}/cp rix,
@{bin}/dconf rPx,
@{bin}/dot rix,
@{bin}/env rix,
@{bin}/fc-cache{,-32} rPx,
@{bin}/filecap rix,
@{bin}/find rix,
@{bin}/gdbus rix,
@{bin}/gdk-pixbuf-query-loaders rPx,
@{bin}/getent rix,
@{bin}/gettext rix,
@{bin}/ghc-pkg-* rix,
@{bin}/gio-querymodules rPx,
@{bin}/glib-compile-schemas rPx,
@{bin}/grep rix,
@{bin}/groupadd rPx,
@{bin}/gtk-query-immodules-{2,3}.0 rPx,
@{bin}/head rix,
@{bin}/install-catalog rPx,
@{bin}/install-info rPx,
@{bin}/iscsi-iname rix,
@{bin}/journalctl rPx,
@{bin}/killall rix,
@{bin}/ldconfig rix,
@{bin}/ln rix,
@{bin}/locale-gen rPx,
@{bin}/mkinitcpio rPx,
@{bin}/pacdiff rPx,
@{bin}/pacman-key rPx,
@{bin}/perl rix,
@{bin}/pkill rix,
@{bin}/pwd rix,
@{bin}/rm rix,
@{bin}/sbctl rPx,
@{bin}/sed rix,
@{bin}/setcap rix,
@{bin}/sysctl rPx,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/systemd-* rPx,
@{bin}/touch rix,
@{bin}/tput rix,
@{bin}/update-ca-trust rPx,
@{bin}/update-desktop-database rPx,
@{bin}/update-mime-database rPx,
@{bin}/vercmp rix,
@{bin}/xmlcatalog rix,
@{lib}/ghc-*/bin/ghc-pkg rix,
@{lib}/systemd/systemd-* rPx,
@{lib}/vlc/vlc-cache-gen rPx,
/opt/Mullvad*/resources/mullvad-setup rPx,
/usr/share/code-features/patch.sh rPx,
/usr/share/libalpm/scripts/* rPUx,
@ -160,13 +160,13 @@ profile pacman @{exec_path} {
capability dac_read_search,
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpgconf mr,
/{usr/,}bin/gpgsm mr,
@{bin}/gpg{,2} mr,
@{bin}/gpgconf mr,
@{bin}/gpgsm mr,
/{usr/,}bin/dirmngr rix,
/{usr/,}bin/gpg-agent rix,
/{usr/,}bin/gpg-connect-agent rix,
@{bin}/dirmngr rix,
@{bin}/gpg-agent rix,
@{bin}/gpg-connect-agent rix,
/etc/pacman.d/gnupg/ rw,
/etc/pacman.d/gnupg/** rwkl,

2
apparmor.d/groups/pacman/pacman-conf
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pacman-conf
@{exec_path} = @{bin}/pacman-conf
profile pacman-conf @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

12
apparmor.d/groups/pacman/pacman-hook-code
View file

@ -14,13 +14,13 @@ profile pacman-hook-code @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba}sh rix,
/{usr/,}bin/env rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/sed rix,
@{bin}/{,ba}sh rix,
@{bin}/env rix,
@{bin}/grep rix,
@{bin}/sed rix,
/{usr/,}lib/code/product.json rw,
/{usr/,}lib/code/sed?????? rw,
@{lib}/code/product.json rw,
@{lib}/code/sed?????? rw,
/dev/tty rw,

6
apparmor.d/groups/pacman/pacman-hook-dconf
View file

@ -14,9 +14,9 @@ profile pacman-hook-dconf @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/dconf rPx,
@{bin}/bash rix,
@{bin}/rm rix,
@{bin}/dconf rPx,
/etc/dconf/db/{,**} rw,

12
apparmor.d/groups/pacman/pacman-hook-depmod
View file

@ -14,12 +14,12 @@ profile pacman-hook-depmod @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/basename rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/depmod rPx,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
@{bin}/basename rix,
@{bin}/bash rix,
@{bin}/depmod rPx,
@{bin}/kmod rPx,
@{bin}/rm rix,
@{bin}/rmdir rix,
/usr/lib/modules/*/{,**} rw,

8
apparmor.d/groups/pacman/pacman-hook-dkms
View file

@ -17,10 +17,10 @@ profile pacman-hook-dkms @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/dkms rPx,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/nproc rix,
@{bin}/bash rix,
@{bin}/dkms rPx,
@{bin}/kmod rPx,
@{bin}/nproc rix,
/usr/src/ r,
/usr/src/**.conf r,

6
apparmor.d/groups/pacman/pacman-hook-fontconfig
View file

@ -14,9 +14,9 @@ profile pacman-hook-fontconfig @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/rm rix,
@{bin}/bash rix,
@{bin}/ln rix,
@{bin}/rm rix,
/etc/fonts/conf.d/* rwl,
/usr/share/fontconfig/conf.default/* r,

10
apparmor.d/groups/pacman/pacman-hook-gio
View file

@ -14,12 +14,12 @@ profile pacman-hook-gio @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/gio-querymodules rPx,
@{bin}/bash rix,
@{bin}/rmdir rix,
@{bin}/gio-querymodules rPx,
/{usr/,}lib/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw,
/{usr/,}lib/gtk-{3,4}.0/**/*/ rw,
@{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw,
@{lib}/gtk-{3,4}.0/**/*/ rw,
/usr/lib/gio/modules/ rw,

10
apparmor.d/groups/pacman/pacman-hook-gtk
View file

@ -14,12 +14,12 @@ profile pacman-hook-gtk @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/rmdir rix,
@{bin}/bash rix,
@{bin}/rm rix,
@{bin}/rmdir rix,
/{usr/,}bin/gtk-update-icon-cache rPx,
/{usr/,}bin/gtk4-update-icon-cache rPx,
@{bin}/gtk-update-icon-cache rPx,
@{bin}/gtk4-update-icon-cache rPx,
/usr/share/icons/{,**} rw,

24
apparmor.d/groups/pacman/pacman-hook-mkinitcpio
View file

@ -18,18 +18,18 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/compgen rix,
/{usr/,}bin/env rix,
/{usr/,}bin/install rix,
/{usr/,}bin/mkinitcpio rPx,
/{usr/,}bin/mv rix,
/{usr/,}bin/od rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/stat rix,
@{bin}/bash rix,
@{bin}/cmp rix,
@{bin}/compgen rix,
@{bin}/env rix,
@{bin}/install rix,
@{bin}/mkinitcpio rPx,
@{bin}/mv rix,
@{bin}/od rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/sort rix,
@{bin}/stat rix,
/usr/share/mkinitcpio/*.preset r,

10
apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
View file

@ -15,11 +15,11 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/cmp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
@{bin}/bash rix,
@{bin}/cmp rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/sed rix,
/usr/share/mkinitcpio/*.preset r,
/etc/mkinitcpio.d/*.preset rw,

12
apparmor.d/groups/pacman/pacman-hook-perl
View file

@ -15,13 +15,13 @@ profile pacman-hook-perl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/perl rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/find rix,
/{usr/,}bin/pacman rPx,
/{usr/,}bin/sed rix,
@{bin}/perl rix,
@{bin}/bash rix,
@{bin}/find rix,
@{bin}/pacman rPx,
@{bin}/sed rix,
/{usr/,}lib/perl[0-9]*/{,**} r,
@{lib}/perl[0-9]*/{,**} r,
/dev/tty rw,

22
apparmor.d/groups/pacman/pacman-hook-systemd
View file

@ -15,18 +15,18 @@ profile pacman-hook-systemd @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/bash rix,
/{usr/,}bin/touch rix,
@{bin}/bash rix,
@{bin}/touch rix,
/{usr/,}bin/journalctl rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/systemd-hwdb rPx,
/{usr/,}bin/systemd-sysusers rPx,
/{usr/,}bin/systemd-tmpfiles rPx,
/{usr/,}bin/udevadm rPx,
/{usr/,}lib/systemd/systemd-binfmt rPx,
/{usr/,}lib/systemd/systemd-sysctl rPx,
@{bin}/journalctl rPx,
@{bin}/systemctl rPx -> child-systemctl,
@{bin}/systemd-detect-virt rPx,
@{bin}/systemd-hwdb rPx,
@{bin}/systemd-sysusers rPx,
@{bin}/systemd-tmpfiles rPx,
@{bin}/udevadm rPx,
@{lib}/systemd/systemd-binfmt rPx,
@{lib}/systemd/systemd-sysctl rPx,
/usr/ rw,

32
apparmor.d/groups/pacman/pacman-key
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/pacman-key
@{exec_path} = @{bin}/pacman-key
profile pacman-key @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -16,18 +16,18 @@ profile pacman-key @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/basename rix,
/{usr/,}bin/bash rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/grep rix,
/{usr/,}bin/pacman-conf rPx,
/{usr/,}bin/touch rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/vercmp rix,
/{usr/,}bin/wc rix,
@{bin}/basename rix,
@{bin}/bash rix,
@{bin}/chmod rix,
@{bin}/{m,g,}awk rix,
@{bin}/gettext rix,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/grep rix,
@{bin}/pacman-conf rPx,
@{bin}/touch rix,
@{bin}/tput rix,
@{bin}/vercmp rix,
@{bin}/wc rix,
/usr/share/makepkg/{,**} r,
/usr/share/pacman/keyrings/{,*} r,
@ -45,9 +45,9 @@ profile pacman-key @{exec_path} {
capability dac_read_search,
capability mknod,
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/dirmngr rix,
/{usr/,}bin/gpg-agent rix,
@{bin}/gpg{,2} mr,
@{bin}/dirmngr rix,
@{bin}/gpg-agent rix,
/usr/share/pacman/keyrings/{,*} r,

4
apparmor.d/groups/pacman/reflector
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/reflector
@{exec_path} = @{bin}/reflector
profile reflector @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -21,7 +21,7 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
network netlink raw,
@{exec_path} mr,
/{usr/,}bin/ r,
@{bin}/ r,
/etc/xdg/reflector/reflector.conf r,
/etc/pacman.d/mirrorlist rw,