felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (3)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:09:55 +01:00
parent 2eed3b725f
commit 27daa7c9bb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
355 changed files with 1473 additions and 1472 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/groups/systemd/bootctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/bootctl
@{exec_path} = @{bin}/bootctl
profile bootctl @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
@ -20,9 +20,9 @@ profile bootctl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
/{boot,efi}/ r,
/{boot,efi}/EFI/{,**} r,

8
apparmor.d/groups/systemd/busctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/busctl
@{exec_path} = @{bin}/busctl
profile busctl @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -15,9 +15,9 @@ profile busctl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pids}/comm r,

16
apparmor.d/groups/systemd/coredumpctl
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/coredumpctl
@{exec_path} = @{bin}/coredumpctl
profile coredumpctl @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -18,11 +18,11 @@ profile coredumpctl @{exec_path} flags=(complain) {
@{exec_path} mr,
/{usr/,}bin/gdb rCx -> gdb,
@{bin}/gdb rCx -> gdb,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
@ -49,10 +49,10 @@ profile coredumpctl @{exec_path} flags=(complain) {
ptrace (trace),
/{usr/,}bin/gdb mr,
/{usr/,}bin/iconv rix,
@{bin}/gdb mr,
@{bin}/iconv rix,
/{usr/,}{s,}bin/* r,
@{bin}/* r,
/usr/share/gcc-[0-9]*/python/{,**} r,
/usr/share/gcc/** r,

2
apparmor.d/groups/systemd/hostnamectl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/hostnamectl
@{exec_path} = @{bin}/hostnamectl
profile hostnamectl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

8
apparmor.d/groups/systemd/journalctl
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/journalctl
@{exec_path} = @{bin}/journalctl
profile journalctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -23,9 +23,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
/var/lib/dbus/machine-id r,
/etc/machine-id r,

8
apparmor.d/groups/systemd/localectl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/localectl
@{exec_path} = @{bin}/localectl
profile localectl @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
@ -15,9 +15,9 @@ profile localectl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
/usr/share/kbd/keymaps/{,**} r,

6
apparmor.d/groups/systemd/loginctl
View file

@ -27,9 +27,9 @@ profile loginctl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
include if exists <local/loginctl>
}

8
apparmor.d/groups/systemd/networkctl
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/networkctl
@{exec_path} = @{bin}/networkctl
profile networkctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -31,9 +31,9 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
/etc/udev/hwdb.bin r,
/var/lib/dbus/machine-id r,

2
apparmor.d/groups/systemd/systemd-ac-power
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-ac-power
@{exec_path} = @{lib}/systemd/systemd-ac-power
profile systemd-ac-power @{exec_path} {
include <abstractions/base>

14
apparmor.d/groups/systemd/systemd-analyze
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-analyze
@{exec_path} = @{bin}/systemd-analyze
profile systemd-analyze @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -36,15 +36,15 @@ profile systemd-analyze @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/systemd/system-environment-generators/* rix,
@{lib}/systemd/system-environment-generators/* rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/man rPx,
@{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/man rPx,
/usr/ r,
/{usr/,}lib/systemd/** r,
@{lib}/systemd/** r,
/etc/default/locale r,
/etc/locale.conf r,

2
apparmor.d/groups/systemd/systemd-ask-password
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-ask-password
@{exec_path} = @{bin}/systemd-ask-password
profile systemd-ask-password @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/systemd/systemd-backlight
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-backlight
@{exec_path} = @{lib}/systemd/systemd-backlight
profile systemd-backlight @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

2
apparmor.d/groups/systemd/systemd-binfmt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-binfmt
@{exec_path} = @{lib}/systemd/systemd-binfmt
profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

4
apparmor.d/groups/systemd/systemd-cat
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-cat
@{exec_path} = @{bin}/systemd-cat
profile systemd-cat @{exec_path} {
include <abstractions/base>
@ -14,7 +14,7 @@ profile systemd-cat @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/cat rix,
@{bin}/cat rix,
include if exists <local/systemd-cat>
}

8
apparmor.d/groups/systemd/systemd-cgls
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-cgls
@{exec_path} = @{bin}/systemd-cgls
profile systemd-cgls @{exec_path} {
include <abstractions/base>
@ -14,9 +14,9 @@ profile systemd-cgls @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{sys}/fs/cgroup/{,**} r,

8
apparmor.d/groups/systemd/systemd-cgtop
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-cgtop
@{exec_path} = @{bin}/systemd-cgtop
profile systemd-cgtop @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{sys}/fs/cgroup/{,**} r,

6
apparmor.d/groups/systemd/systemd-coredump
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-coredump
@{exec_path} = @{lib}/systemd/systemd-coredump
profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -27,9 +27,9 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
@{exec_path} mr,
@{libexec}/** r,
@{lib}/** r,
/ r,
/{usr/,}{s,}bin/* r,
@{bin}/* r,
/opt/** r,
/etc/systemd/coredump.conf r,

2
apparmor.d/groups/systemd/systemd-cryptsetup
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-cryptsetup
@{exec_path} = @{lib}/systemd/systemd-cryptsetup
profile systemd-cryptsetup @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

4
apparmor.d/groups/systemd/systemd-delta
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-delta
@{exec_path} = @{bin}/systemd-delta
profile systemd-delta @{exec_path} {
include <abstractions/base>
@ -14,7 +14,7 @@ profile systemd-delta @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
@{bin}/less rPx -> child-pager,
/etc/binfmt.d/{,**} r,
/etc/modprobe.d/{,**} r,

2
apparmor.d/groups/systemd/systemd-detect-virt
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-detect-virt
@{exec_path} = @{bin}/systemd-detect-virt
profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

10
apparmor.d/groups/systemd/systemd-dissect
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-dissect
@{exec_path} = @{bin}/systemd-dissect
profile systemd-dissect @{exec_path} {
include <abstractions/base>
@ -19,10 +19,10 @@ profile systemd-dissect @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/fsck rPx,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/fsck rPx,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
# Location of file system OS images
@{user_build_dirs}/{,**} r,

10
apparmor.d/groups/systemd/systemd-environment-d-generator
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/user-environment-generators/*
@{exec_path} = @{lib}/systemd/user-environment-generators/*
profile systemd-environment-d-generator @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
@ -14,10 +14,10 @@ profile systemd-environment-d-generator @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/flatpak rPUx,
/{usr/,}bin/gpgconf rPx,
/{usr/,}bin/{m,g,}awk rix,
@{bin}/{,ba,da}sh rix,
@{bin}/flatpak rPUx,
@{bin}/gpgconf rPx,
@{bin}/{m,g,}awk rix,
@{etc_ro}/environment r,
@{etc_ro}/environment.d/{,**} r,

2
apparmor.d/groups/systemd/systemd-escape
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-escape
@{exec_path} = @{bin}/systemd-escape
profile systemd-escape @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

8
apparmor.d/groups/systemd/systemd-fsck
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-fsck
@{exec_path} = @{lib}/systemd/systemd-fsck
profile systemd-fsck @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/e2fsck rPx,
/{usr/,}{s,}bin/fsck rPx,
/{usr/,}{s,}bin/fsck.* rPx,
@{bin}/e2fsck rPx,
@{bin}/fsck rPx,
@{bin}/fsck.* rPx,
owner @{run}/systemd/quotacheck w,
owner @{run}/systemd/fsck.progress rw,

2
apparmor.d/groups/systemd/systemd-fsckd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-fsckd
@{exec_path} = @{lib}/systemd/systemd-fsckd
profile systemd-fsckd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

10
apparmor.d/groups/systemd/systemd-homed
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-homed
@{exec_path} = @{lib}/systemd/systemd-homed
profile systemd-homed @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>
@ -40,10 +40,10 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/systemd/systemd-homework rPx,
/{usr/,}{s,}bin/mkfs.btrfs rPx,
/{usr/,}{s,}bin/mkfs.fat rPx,
/{usr/,}{s,}bin/mke2fs rPx,
@{lib}/systemd/systemd-homework rPx,
@{bin}/mkfs.btrfs rPx,
@{bin}/mkfs.fat rPx,
@{bin}/mke2fs rPx,
/etc/machine-id r,
/etc/systemd/homed.conf r,

2
apparmor.d/groups/systemd/systemd-homework
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-homework
@{exec_path} = @{lib}/systemd/systemd-homework
profile systemd-homework @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-hostnamed
@{exec_path} = @{lib}/systemd/systemd-hostnamed
profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

6
apparmor.d/groups/systemd/systemd-hwdb
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-hwdb
@{exec_path} = @{bin}/systemd-hwdb
profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
/{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
/{usr/,}lib/udev/hwdb.bin w,
@{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* w,
@{lib}/udev/hwdb.bin w,
/etc/udev/.#hwdb.bind* rw,
/etc/udev/hwdb.bin rw,

2
apparmor.d/groups/systemd/systemd-id128
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-id128
@{exec_path} = @{bin}/systemd-id128
profile systemd-id128 @{exec_path} {
include <abstractions/base>

4
apparmor.d/groups/systemd/systemd-inhibit
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-inhibit
@{exec_path} = @{bin}/systemd-inhibit
profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -16,7 +16,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/cat rix,
@{bin}/cat rix,
@{run}/systemd/inhibit/*.ref rw,

2
apparmor.d/groups/systemd/systemd-journald
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-journald
@{exec_path} = @{lib}/systemd/systemd-journald
profile systemd-journald @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/systemd/systemd-localed
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-localed
@{exec_path} = @{lib}/systemd/systemd-localed
profile systemd-localed @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/systemd/systemd-logind
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-logind
@{exec_path} = @{lib}/systemd/systemd-logind
profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/systemd/systemd-machine-id-setup
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-machine-id-setup
@{exec_path} = @{bin}/systemd-machine-id-setup
profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/systemd/systemd-machined
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-machined
@{exec_path} = @{lib}/systemd/systemd-machined
profile systemd-machined @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>

6
apparmor.d/groups/systemd/systemd-makefs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-makefs
@{exec_path} = @{lib}/systemd/systemd-makefs
profile systemd-makefs @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/mkswap rPx,
/{usr/,}bin/mkfs.* rPx,
@{bin}/mkfs.* rPx,
@{bin}/mkswap rPx,
include if exists <local/systemd-makefs>
}

2
apparmor.d/groups/systemd/systemd-modules-load
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-modules-load
@{exec_path} = @{lib}/systemd/systemd-modules-load
profile systemd-modules-load @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

10
apparmor.d/groups/systemd/systemd-mount
View file

@ -6,17 +6,17 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-mount
@{exec_path} += /{usr/,}bin/systemd-umount
@{exec_path} = @{bin}/systemd-mount
@{exec_path} += @{bin}/systemd-umount
profile systemd-mount @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{sys}/bus/ r,
@{sys}/class/ r,

2
apparmor.d/groups/systemd/systemd-networkd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-networkd
@{exec_path} = @{lib}/systemd/systemd-networkd
profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/systemd/systemd-networkd-wait-online
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-networkd-wait-online
@{exec_path} = @{lib}/systemd/systemd-networkd-wait-online
profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/systemd-common>

2
apparmor.d/groups/systemd/systemd-oomd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-oomd
@{exec_path} = @{lib}/systemd/systemd-oomd
profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/systemd-common>

2
apparmor.d/groups/systemd/systemd-path
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-path
@{exec_path} = @{bin}/systemd-path
profile systemd-path @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/systemd/systemd-portabled
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-portabled
@{exec_path} = @{lib}/systemd/systemd-portabled
profile systemd-portabled @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/systemd/systemd-random-seed
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-random-seed
@{exec_path} = @{lib}/systemd/systemd-random-seed
profile systemd-random-seed @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

4
apparmor.d/groups/systemd/systemd-remount-fs
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-remount-fs
@{exec_path} = @{lib}/systemd/systemd-remount-fs
profile systemd-remount-fs @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -21,7 +21,7 @@ profile systemd-remount-fs @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/mount rix,
@{bin}/mount rix,
/etc/fstab r,

4
apparmor.d/groups/systemd/systemd-resolve
View file

@ -6,8 +6,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/resolvectl
@{exec_path} += /{usr/,}bin/systemd-resolve
@{exec_path} = @{bin}/resolvectl
@{exec_path} += @{bin}/systemd-resolve
profile systemd-resolve @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/systemd/systemd-resolved
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-resolved
@{exec_path} = @{lib}/systemd/systemd-resolved
profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/systemd/systemd-rfkill
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-rfkill
@{exec_path} = @{lib}/systemd/systemd-rfkill
profile systemd-rfkill @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

2
apparmor.d/groups/systemd/systemd-shutdown
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-shutdown
@{exec_path} = @{lib}/systemd/systemd-shutdown
profile systemd-shutdown @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/systemd-common>

14
apparmor.d/groups/systemd/systemd-sleep
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sleep
@{exec_path} = @{lib}/systemd/systemd-sleep
profile systemd-sleep @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -19,12 +19,12 @@ profile systemd-sleep @{exec_path} {
@{exec_path} mr,
/{usr/,}lib/systemd/system-sleep/grub2.sleep rPx,
/{usr/,}lib/systemd/system-sleep/hdparm rPx,
/{usr/,}lib/systemd/system-sleep/nvidia rPx,
/{usr/,}lib/systemd/system-sleep/sysstat.sleep rPx,
/{usr/,}lib/systemd/system-sleep/tlp rPx,
/{usr/,}lib/systemd/system-sleep/unattended-upgrades rPx,
@{lib}/systemd/system-sleep/grub2.sleep rPx,
@{lib}/systemd/system-sleep/hdparm rPx,
@{lib}/systemd/system-sleep/nvidia rPx,
@{lib}/systemd/system-sleep/sysstat.sleep rPx,
@{lib}/systemd/system-sleep/tlp rPx,
@{lib}/systemd/system-sleep/unattended-upgrades rPx,
/etc/systemd/sleep.conf r,
/etc/systemd/sleep.conf.d/{,*} r,

8
apparmor.d/groups/systemd/systemd-sleep-grub2
View file

@ -6,15 +6,15 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/system-sleep/grub2.sleep
@{exec_path} = @{lib}/systemd/system-sleep/grub2.sleep
profile systemd-sleep-grub @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/grep rix,
/{usr/,}bin/uname rix,
@{bin}/{,ba,da}sh rix,
@{bin}/grep rix,
@{bin}/uname rix,
/etc/sysconfig/bootloader r,

2
apparmor.d/groups/systemd/systemd-sleep-hdparm
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/system-sleep/hdparm
@{exec_path} = @{lib}/systemd/system-sleep/hdparm
profile systemd-sleep-hdparm @{exec_path} {
include <abstractions/base>

12
apparmor.d/groups/systemd/systemd-sleep-nvidia
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/system-sleep/nvidia
@{exec_path} = @{lib}/systemd/system-sleep/nvidia
profile systemd-sleep-nvidia @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -16,11 +16,11 @@ profile systemd-sleep-nvidia @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nvidia-sleep.sh rix,
/{usr/,}bin/chvt rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/rm rix,
@{bin}/{,ba,da}sh rix,
@{bin}/nvidia-sleep.sh rix,
@{bin}/chvt rix,
@{bin}/cat rix,
@{bin}/rm rix,
@{run}/nvidia-sleep/* rw,

2
apparmor.d/groups/systemd/systemd-sleep-sysstat
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/system-sleep/sysstat.sleep
@{exec_path} = @{lib}/systemd/system-sleep/sysstat.sleep
profile systemd-sleep-sysstat @{exec_path} {
include <abstractions/base>

4
apparmor.d/groups/systemd/systemd-sleep-tlp
View file

@ -6,13 +6,13 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/system-sleep/tlp
@{exec_path} = @{lib}/systemd/system-sleep/tlp
profile systemd-sleep-tlp @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/tlp rPUx,
@{bin}/tlp rPUx,
include if exists <local/systemd-sleep-tlp>
}

2
apparmor.d/groups/systemd/systemd-sleep-upgrades
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/system-sleep/unattended-upgrades
@{exec_path} = @{lib}/systemd/system-sleep/unattended-upgrades
profile systemd-sleep-upgrades @{exec_path} {
include <abstractions/base>

4
apparmor.d/groups/systemd/systemd-sulogin-shell
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sulogin-shell
@{exec_path} = @{lib}/systemd/systemd-sulogin-shell
profile systemd-sulogin-shell @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
@ -16,7 +16,7 @@ profile systemd-sulogin-shell @{exec_path} {
@{exec_path} mr,
/{usr/,}{s,}bin/sulogin rPx,
@{bin}/sulogin rPx,
include if exists <local/systemd-sulogin-shell>
}

2
apparmor.d/groups/systemd/systemd-sysctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sysctl
@{exec_path} = @{lib}/systemd/systemd-sysctl
profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/groups/systemd/systemd-sysusers
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-sysusers
@{exec_path} = @{bin}/systemd-sysusers
profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/systemd-common>

2
apparmor.d/groups/systemd/systemd-timedated
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-timedated
@{exec_path} = @{lib}/systemd/systemd-timedated
profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/systemd/systemd-timesyncd
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
@{exec_path} = @{lib}/systemd/systemd-timesyncd
profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/systemd/systemd-tmpfiles
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-tmpfiles
@{exec_path} = @{bin}/systemd-tmpfiles
profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/systemd-common>

2
apparmor.d/groups/systemd/systemd-tty-ask-password-agent
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-tty-ask-password-agent
@{exec_path} = @{bin}/systemd-tty-ask-password-agent
profile systemd-tty-ask-password-agent @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

54
apparmor.d/groups/systemd/systemd-udevd
View file

@ -7,8 +7,8 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/udevadm
@{exec_path} += /{usr/,}lib/systemd/systemd-udevd
@{exec_path} = @{bin}/udevadm
@{exec_path} += @{lib}/systemd/systemd-udevd
profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -36,33 +36,33 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chgrp rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/ln rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/mknod rPx,
/{usr/,}bin/nohup rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/setfacl rix,
/{usr/,}bin/snap rPx,
/{usr/,}bin/unshare rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/chgrp rix,
@{bin}/chmod rix,
@{bin}/cut rix,
@{bin}/ln rix,
@{bin}/logger rix,
@{bin}/mknod rPx,
@{bin}/nohup rix,
@{bin}/perl rix,
@{bin}/readlink rix,
@{bin}/setfacl rix,
@{bin}/snap rPx,
@{bin}/unshare rix,
/{usr/,}{s,}bin/* rpux,
audit /{usr/,}{s,}bin/lvm rux,
@{bin}/* rpux,
audit @{bin}/lvm rux,
/{usr/,}lib/pm-utils/power.d/* rPUx,
/{usr/,}lib/snapd/snap-device-helper rPx,
/{usr/,}lib/crda/* rPUx,
/{usr/,}lib/gdm-runtime-config rPx,
/{usr/,}lib/systemd/systemd-* rPx,
@{libexec}/nfsrahead rPUx,
/{usr/,}lib/udev/* rPUx,
/{usr/,}lib/open-iscsi/net-interface-handler rPUx,
@{lib}/pm-utils/power.d/* rPUx,
@{lib}/snapd/snap-device-helper rPx,
@{lib}/crda/* rPUx,
@{lib}/gdm-runtime-config rPx,
@{lib}/systemd/systemd-* rPx,
@{lib}/nfsrahead rPUx,
@{lib}/udev/* rPUx,
@{lib}/open-iscsi/net-interface-handler rPUx,
/usr/share/hplip/config_usb_printer.py rPUx,
/etc/console-setup/*.sh rPUx,

2
apparmor.d/groups/systemd/systemd-update-done
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-update-done
@{exec_path} = @{lib}/systemd/systemd-update-done
profile systemd-update-done @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/systemd/systemd-update-utmp
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-update-utmp
@{exec_path} = @{lib}/systemd/systemd-update-utmp
profile systemd-update-utmp @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

2
apparmor.d/groups/systemd/systemd-user-runtime-dir
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-user-runtime-dir
@{exec_path} = @{lib}/systemd/systemd-user-runtime-dir
profile systemd-user-runtime-dir @{exec_path} {
include <abstractions/base>
include <abstractions/dbus-strict>

2
apparmor.d/groups/systemd/systemd-user-sessions
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-user-sessions
@{exec_path} = @{lib}/systemd/systemd-user-sessions
profile systemd-user-sessions @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>

4
apparmor.d/groups/systemd/systemd-userdbd
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-userdbd
@{exec_path} = @{lib}/systemd/systemd-userdbd
profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -23,7 +23,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}lib/systemd/systemd-userwork rix,
@{lib}/systemd/systemd-userwork rix,
/etc/shadow r,
/etc/machine-id r,

2
apparmor.d/groups/systemd/systemd-userwork
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-userwork
@{exec_path} = @{lib}/systemd/systemd-userwork
profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>

12
apparmor.d/groups/systemd/systemd-vconsole-setup
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-vconsole-setup
@{exec_path} = @{lib}/systemd/systemd-vconsole-setup
profile systemd-vconsole-setup @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -21,11 +21,11 @@ profile systemd-vconsole-setup @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/loadkeys rix,
/{usr/,}bin/setfont rix,
/{usr/,}bin/gzip rix,
@{bin}/{,ba,da}sh rix,
@{bin}/gzip rix,
@{bin}/loadkeys rix,
@{bin}/setfont rix,
@{bin}/gzip rix,
/ r,
/usr/share/kbd/{,**} r,

8
apparmor.d/groups/systemd/userdbctl
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/userdbctl
@{exec_path} = @{bin}/userdbctl
profile userdbctl @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -16,9 +16,9 @@ profile userdbctl @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
/{usr/,}bin/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
/etc/shadow r,
/etc/gshadow r,

8
apparmor.d/groups/systemd/zram-generator
View file

@ -6,16 +6,16 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/system-generators/zram-generator
@{exec_path} = @{lib}/systemd/system-generators/zram-generator
profile zram-generator @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
@{exec_path} mr,
/{usr/,}bin/kmod rix,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}lib/systemd/systemd-makefs rPx,
@{bin}/kmod rix,
@{bin}/systemd-detect-virt rPx,
@{lib}/systemd/systemd-makefs rPx,
/etc/systemd/zram-generator.conf r,