refactor(profiles): use @{bin} and @{lib} in profiles (2)

2023-07-09 13:30:27 +01:00 · 2023-07-09 13:30:27 +01:00 · 2eed3b725f
commit 2eed3b725f
parent bb71f49598
101 changed files with 538 additions and 538 deletions
--- a/apparmor.d/groups/children/child-dpkg
+++ b/apparmor.d/groups/children/child-dpkg
@ -12,7 +12,7 @@ abi <abi/3.0>,

 include <tunables/global>

-# Do not attach to /{usr/,}bin/dpkg by default
+# Do not attach to @{bin}/dpkg by default
 profile child-dpkg {
  include <abstractions/base>
  include <abstractions/consoles>
@ -21,14 +21,14 @@ profile child-dpkg {
  capability dac_read_search,
  capability setgid,

-  /{usr/,}bin/dpkg mr,
+  @{bin}/dpkg mr,

  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
-  /{usr/,}bin/dpkg-query rpx,
-  /{usr/,}bin/dpkg-deb rPx,
-  /{usr/,}bin/dpkg-split rPx,
+  @{bin}/dpkg-query rpx,
+  @{bin}/dpkg-deb rPx,
+  @{bin}/dpkg-split rPx,

  /etc/dpkg/dpkg.cfg.d/{,*} r,
  /etc/dpkg/dpkg.cfg r,
--- a/apparmor.d/groups/children/child-dpkg-divert
+++ b/apparmor.d/groups/children/child-dpkg-divert
@ -12,11 +12,11 @@ abi <abi/3.0>,

 include <tunables/global>

-# Do not attach to /{usr/,}bin/dpkg-divert by default
+# Do not attach to @{bin}/dpkg-divert by default
 profile child-dpkg-divert {
  include <abstractions/base>

-  /{usr/,}bin/dpkg-divert mr,
+  @{bin}/dpkg-divert mr,

  /var/lib/dpkg/arch r,
  /var/lib/dpkg/status r,
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -6,7 +6,7 @@
 # intended to be used only via "Px -> child-open" exec transitions
 # from other profiles. 

-# Instead of allowing the run of all software in /{usr/,}bin/, the purpose of
+# Instead of allowing the run of all software in @{bin}/, the purpose of
 # this profile is to list all GUI program that can open resources.

 # Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
@ -21,71 +21,71 @@ profile child-open {
  include <abstractions/base>
  include <abstractions/xdg-open>

-  /{usr/,}bin/exo-open                                     mr,
-  /{usr/,}bin/xdg-open                                     mr,
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
-  /{usr/,}lib/gio-launch-desktop                           mrix,
+  @{bin}/exo-open                                     mr,
+  @{bin}/xdg-open                                     mr,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
+  @{lib}/gio-launch-desktop                           mrix,

-  /{usr/,}bin/{,ba,da}sh        rix,
-  /{usr/,}bin/{,m,g}awk         rix,
-  /{usr/,}bin/basename          rix,
-  /{usr/,}bin/readlink          rix,
+  @{bin}/{,ba,da}sh        rix,
+  @{bin}/{,m,g}awk         rix,
+  @{bin}/basename          rix,
+  @{bin}/readlink          rix,

  # Sandbox managers
-  /{usr/,}bin/bwrap            rPUx,
-  /{usr/,}bin/firejail         rPUx,
-  /{usr/,}bin/flatpak          rPUx,
-  /{usr/,}bin/snap             rPUx,
+  @{bin}/bwrap            rPUx,
+  @{bin}/firejail         rPUx,
+  @{bin}/flatpak          rPUx,
+  @{bin}/snap             rPUx,

  # Files explorer
-  /{usr/,}bin/nautilus          rPx,
+  @{bin}/nautilus          rPx,

  # Firefox
-  /{usr/,}bin/firefox{,.sh,-esr,-bin}                                            rPx,
-  /{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}            rPx,
+  @{bin}/firefox{,.sh,-esr,-bin}                                                 rPx,
+  @{lib}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                         rPx,
  /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                           rPx,
  # Brave
  /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin}          rPx,
  # Chromium
-  /{usr/,}lib/chromium/chromium                                                  rPx,
+  @{lib}/chromium/chromium                                                       rPx,
  # Chrome
  /opt/google/chrome{,-beta,-stable,-unstable}/chrome{,-beta,-stable,-unstable}  rPx,
  # Opera
-  /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}     rPx,
+  @{lib}/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}          rPx,

  # Text editors
-  /{usr/,}bin/code              rPx,
-  /{usr/,}bin/gedit            rPUx,
+  @{bin}/code                  rPx,
+  @{bin}/gedit                 rPUx,
  /usr/share/code/{bin/,}code   rPx,

  # Others
-  /{usr/,}bin/*Foliate         rPUx,
-  /{usr/,}bin/discord{,-ptb}    rPx,
-  /{usr/,}bin/draw.io          rPUx,
-  /{usr/,}bin/dropbox           rPx,
-  /{usr/,}bin/engrampa          rPx,
-  /{usr/,}bin/eog              rPUx,
-  /{usr/,}bin/evince            rPx,
-  /{usr/,}bin/filezilla         rPx,
-  /{usr/,}bin/file-roller      rPUx,
-  /{usr/,}bin/flameshot         rPx,
-  /{usr/,}bin/geany             rPx,
-  /{usr/,}bin/gnome-calculator rPUx,
-  /{usr/,}bin/gnome-disk-image-mounter rPx,
-  /{usr/,}bin/gnome-disks       rPx,
-  /{usr/,}bin/kgx               rPx,
-  /{usr/,}bin/okular            rPx,
-  /{usr/,}bin/qbittorrent       rPx,
-  /{usr/,}bin/qpdfview          rPx,
-  /{usr/,}bin/smplayer          rPx,
-  /{usr/,}bin/spacefm           rPx,
-  /{usr/,}bin/teams            rPUx,
-  /{usr/,}bin/telegram-desktop  rPx,
-  /{usr/,}bin/thunderbird       rPx,
-  /{usr/,}bin/transmission-gtk  rPx,
-  /{usr/,}bin/viewnior         rPUx,
-  /{usr/,}bin/vlc               rPx,
-  /{usr/,}bin/xarchiver         rPx,
+  @{bin}/*Foliate         rPUx,
+  @{bin}/discord{,-ptb}    rPx,
+  @{bin}/draw.io          rPUx,
+  @{bin}/dropbox           rPx,
+  @{bin}/engrampa          rPx,
+  @{bin}/eog              rPUx,
+  @{bin}/evince            rPx,
+  @{bin}/file-roller      rPUx,
+  @{bin}/filezilla         rPx,
+  @{bin}/flameshot         rPx,
+  @{bin}/geany             rPx,
+  @{bin}/gnome-calculator rPUx,
+  @{bin}/gnome-disk-image-mounter rPx,
+  @{bin}/gnome-disks       rPx,
+  @{bin}/kgx               rPx,
+  @{bin}/okular            rPx,
+  @{bin}/qbittorrent       rPx,
+  @{bin}/qpdfview          rPx,
+  @{bin}/smplayer          rPx,
+  @{bin}/spacefm           rPx,
+  @{bin}/teams            rPUx,
+  @{bin}/telegram-desktop  rPx,
+  @{bin}/thunderbird       rPx,
+  @{bin}/transmission-gtk  rPx,
+  @{bin}/viewnior         rPUx,
+  @{bin}/vlc               rPx,
+  @{bin}/xarchiver         rPx,

  include if exists <usr/child-open.d>
  include if exists <local/child-open>
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@ -13,7 +13,7 @@ abi <abi/3.0>,

 include <tunables/global>

-# Do not attach to /{usr/,}bin/pager by default
+# Do not attach to @{bin}/pager by default
 profile child-pager {
  include <abstractions/base>
  include <abstractions/consoles>
@ -23,10 +23,10 @@ profile child-pager {

  signal (receive) set=(stop, cont, term, kill),

-  /{usr/,}bin/       r,
-  /{usr/,}bin/pager mr,
-  /{usr/,}bin/less  mr,
-  /{usr/,}bin/more  mr,
+  @{bin}/       r,
+  @{bin}/pager mr,
+  @{bin}/less  mr,
+  @{bin}/more  mr,

  @{system_share_dirs}/terminfo/{,**} r,

--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@ -13,7 +13,7 @@ abi <abi/3.0>,

 include <tunables/global>

-# Do not attach to /{usr/,}bin/systemctl by default
+# Do not attach to @{bin}/systemctl by default
 profile child-systemctl flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) {
       interface=org.freedesktop.systemd[0-9].Manager
       member=GetUnitFileState,

-  /{usr/,}bin/systemctl mr,
+  @{bin}/systemctl mr,

  /etc/machine-id r,
  /etc/systemd/user/{,**} rwl,