felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (7)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:59:53 +01:00
parent 7c2c806ffa
commit 2b2c42d23c
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
155 changed files with 938 additions and 938 deletions
Download patch file Download diff file Expand all files Collapse all files

111
apparmor.d/profiles-s-z/spectre-meltdown-checker
View file

@ -22,57 +22,56 @@ profile spectre-meltdown-checker @{exec_path} {
ptrace (read),
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/ r,
/{usr/,}bin/dirname rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/head rix,
/{usr/,}bin/{,g,m}awk rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/od rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/id rix,
/{usr/,}bin/gunzip rix,
/{usr/,}bin/gzip rix,
/{usr/,}bin/zstd rix,
/{usr/,}bin/bunzip2 rix,
/{usr/,}bin/lzop rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/tr rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/tail rix,
/{usr/,}bin/xz rix,
/{usr/,}bin/seq rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/perl rix,
/{usr/,}bin/base64 rix,
/{usr/,}bin/unzip rix,
/{usr/,}bin/{,@{multiarch}-}readelf rix,
/{usr/,}bin/{,@{multiarch}-}strings rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix,
/{usr/,}{s,}bin/iucode_tool rix,
/{usr/,}{s,}bin/rdmsr rix,
/{usr/,}bin/dmesg rix,
/{usr/,}{s,}bin/mount rix,
/{usr/,}bin/find rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/nproc rix,
/{usr/,}bin/date rix,
/{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/kmod rCx -> kmod,
@{bin}/ r,
@{bin}/{,@{multiarch}-}objdump rix,
@{bin}/{,@{multiarch}-}readelf rix,
@{bin}/{,@{multiarch}-}strings rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/{,g,m}awk rix,
@{bin}/base64 rix,
@{bin}/basename rix,
@{bin}/bunzip2 rix,
@{bin}/cat rix,
@{bin}/ccache rCx -> ccache,
@{bin}/cut rix,
@{bin}/date rix,
@{bin}/dd rix,
@{bin}/dirname rix,
@{bin}/dmesg rix,
@{bin}/find rix,
@{bin}/gunzip rix,
@{bin}/gzip rix,
@{bin}/head rix,
@{bin}/id rix,
@{bin}/iucode_tool rix,
@{bin}/kmod rCx -> kmod,
@{bin}/lzop rix,
@{bin}/mktemp rix,
@{bin}/mount rix,
@{bin}/nproc rix,
@{bin}/od rix,
@{bin}/perl rix,
@{bin}/pgrep rCx -> pgrep,
@{bin}/rdmsr rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/seq rix,
@{bin}/sort rix,
@{bin}/stat rix,
@{bin}/tail rix,
@{bin}/tr rix,
@{bin}/uname rix,
@{bin}/unzip rix,
@{bin}/xargs rix,
@{bin}/xz rix,
@{bin}/zstd rix,
# To fetch MCE.db from the MCExtractor project
/{usr/,}bin/wget rCx -> mcedb,
/{usr/,}bin/sqlite3 rCx -> mcedb,
@{bin}/wget rCx -> mcedb,
@{bin}/sqlite3 rCx -> mcedb,
owner /tmp/mcedb-* rw,
owner /tmp/smc-* rw,
owner /tmp/{,smc-}intelfw-*/ rw,
@ -116,11 +115,11 @@ profile spectre-meltdown-checker @{exec_path} {
profile ccache {
include <abstractions/base>
/{usr/,}bin/ccache mr,
@{bin}/ccache mr,
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/{,@{multiarch}-}gcc-[0-9]* rix,
/{usr/,}bin/{,@{multiarch}-}g++-[0-9]* rix,
@{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
/media/ccache/*/** rw,
@ -133,7 +132,7 @@ profile spectre-meltdown-checker @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/pgrep mr,
@{bin}/pgrep mr,
# The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
@{PROC}/ r,
@ -159,8 +158,8 @@ profile spectre-meltdown-checker @{exec_path} {
network inet6 stream,
network netlink raw,
/{usr/,}bin/wget mr,
/{usr/,}bin/sqlite3 mr,
@{bin}/wget mr,
@{bin}/sqlite3 mr,
/etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk,
@ -184,7 +183,7 @@ profile spectre-meltdown-checker @{exec_path} {
owner @{sys}/module/cpuid/** r,
owner @{sys}/module/msr/** r,
/{usr/,}bin/kmod mr,
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,