felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (2)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 13:30:27 +01:00
parent bb71f49598
commit 2eed3b725f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
101 changed files with 538 additions and 538 deletions
Download patch file Download diff file Expand all files Collapse all files

14
apparmor.d/groups/cron/cron
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/cron
@{exec_path} = @{bin}/cron
profile cron @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/app-launcher-root>
@ -28,13 +28,13 @@ profile cron @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/run-parts rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/nice rix,
@{bin}/ionice rix,
@{bin}/run-parts rPx,
/{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
/{usr/,}lib/sysstat/debian-sa1 rPUx,
@{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
@{lib}/sysstat/debian-sa1 rPUx,
/usr/share/rsync/scripts/rrsync rPUx,
/etc/cron.d/{,*} r,

8
apparmor.d/groups/cron/cron-anacron
View file

@ -12,10 +12,10 @@ profile cron-anacron @{exec_path} {
@{exec_path} r,
/{usr/,}{s,}bin/anacron rPx,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/date rix,
@{bin}/anacron rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/cat rix,
@{bin}/date rix,
@{sys}/class/power_supply/ r,
@{sys}/devices/**/power_supply/{,**} r,

6
apparmor.d/groups/cron/cron-apport
View file

@ -12,9 +12,9 @@ profile cron-apport @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/find rix,
/{usr/,}bin/rm rix,
@{bin}/{,ba,da}sh rix,
@{bin}/find rix,
@{bin}/rm rix,
/ r,
/var/crash/ r,

62
apparmor.d/groups/cron/cron-apt
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}sbin/cron-apt
@{exec_path} = @{bin}/cron-apt
profile cron-apt @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -16,36 +16,36 @@ profile cron-apt @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/dotlockfile rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/diff rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/rmdir rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/md5sum rix,
/{usr/,}bin/stat rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/expr rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/dd rix,
/{usr/,}bin/cksum rix,
/{usr/,}bin/{m,g,}awk rix,
/{usr/,}bin/sleep rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/ls rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/fold rix,
@{bin}/{,ba,da}sh rix,
@{bin}/dotlockfile rix,
@{bin}/sed rix,
@{bin}/mktemp rix,
@{bin}/diff rix,
@{bin}/mkdir rix,
@{bin}/rmdir rix,
@{bin}/rm rix,
@{bin}/{,e}grep rix,
@{bin}/md5sum rix,
@{bin}/stat rix,
@{bin}/date rix,
@{bin}/cat rix,
@{bin}/expr rix,
@{bin}/cp rix,
@{bin}/dd rix,
@{bin}/cksum rix,
@{bin}/{m,g,}awk rix,
@{bin}/sleep rix,
@{bin}/mv rix,
@{bin}/logger rix,
@{bin}/ls rix,
@{bin}/touch rix,
@{bin}/uname rix,
@{bin}/fold rix,
/{usr/,}bin/apt-get rPx,
/{usr/,}bin/apt-file rPx,
/{usr/,}bin/aptitude{,-curses} rPx,
/{usr/,}sbin/exim4 rPx,
@{bin}/apt-get rPx,
@{bin}/apt-file rPx,
@{bin}/aptitude{,-curses} rPx,
@{bin}/exim4 rPx,
/usr/share/cron-apt/{,*} r,
@ -70,7 +70,7 @@ profile cron-apt @{exec_path} {
/var/log/cron-apt/lastfullmessage rw,
# For the "ls" command
/{usr/,}lib/locale/locale-archive r,
@{lib}/locale/locale-archive r,
# TMP
/tmp/ r,

18
apparmor.d/groups/cron/cron-apt-compat
View file

@ -11,18 +11,18 @@ profile cron-apt-compat @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/on_ac_power rPx,
@{bin}/on_ac_power rPx,
/{usr/,}bin/apt-config rPx,
/{usr/,}lib/apt/apt.systemd.daily rPx,
@{bin}/apt-config rPx,
@{lib}/apt/apt.systemd.daily rPx,
/{usr/,}bin/dd rix,
/{usr/,}bin/cksum rix,
/{usr/,}bin/cut rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/sleep rix,
@{bin}/dd rix,
@{bin}/cksum rix,
@{bin}/cut rix,
@{bin}/which{,.debianutils} rix,
@{bin}/sleep rix,
include if exists <local/cron-apt-compat>
}

18
apparmor.d/groups/cron/cron-apt-listbugs
View file

@ -11,9 +11,9 @@ profile cron-apt-listbugs @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
@{lib}/ruby/vendor_ruby/aptlistbugs/prefclean rCx -> prefclean,
@{run}/systemd/system r,
@ -21,14 +21,14 @@ profile cron-apt-listbugs @{exec_path} {
profile prefclean {
include <abstractions/base>
/{usr/,}lib/ruby/vendor_ruby/aptlistbugs/prefclean mr,
@{lib}/ruby/vendor_ruby/aptlistbugs/prefclean mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
@{bin}/{,ba,da}sh rix,
@{bin}/mktemp rix,
@{bin}/rm rix,
@{bin}/cp rix,
@{bin}/date rix,
@{bin}/cat rix,
/var/spool/apt-listbugs/lastprefclean rw,

4
apparmor.d/groups/cron/cron-apt-show-versions
View file

@ -11,9 +11,9 @@ profile cron-apt-show-versions @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/apt-show-versions rPx,
@{bin}/apt-show-versions rPx,
# For shell pwd
/ r,

16
apparmor.d/groups/cron/cron-apt-xapian-index
View file

@ -11,17 +11,17 @@ profile cron-apt-xapian-index @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/{,e}grep rix,
@{bin}/which{,.debianutils} rix,
@{bin}/{,e}grep rix,
/{usr/,}bin/nice rix,
/{usr/,}bin/ionice rix,
@{bin}/nice rix,
@{bin}/ionice rix,
/{usr/,}sbin/ r,
/{usr/,}sbin/update-apt-xapian-index rPx,
/{usr/,}sbin/on_ac_power rPx,
@{bin}/ r,
@{bin}/update-apt-xapian-index rPx,
@{bin}/on_ac_power rPx,
# For shell pwd
/ r,

22
apparmor.d/groups/cron/cron-aptitude
View file

@ -11,20 +11,20 @@ profile cron-aptitude @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/cp rix,
/{usr/,}bin/date rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
@{bin}/cp rix,
@{bin}/date rix,
@{bin}/basename rix,
@{bin}/which{,.debianutils} rix,
@{bin}/dirname rix,
@{bin}/rm rix,
@{bin}/mv rix,
/{usr/,}bin/savelog rix,
/{usr/,}bin/cmp rix,
@{bin}/savelog rix,
@{bin}/cmp rix,
/{usr/,}bin/gzip rix,
@{bin}/gzip rix,
/var/lib/aptitude/pkgstates r,

6
apparmor.d/groups/cron/cron-cracklib
View file

@ -13,9 +13,9 @@ profile cron-cracklib @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/logger rix,
/{usr/,}sbin/update-cracklib rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/logger rix,
@{bin}/update-cracklib rPx,
/etc/cracklib/cracklib.conf r,

18
apparmor.d/groups/cron/cron-debsums
View file

@ -12,16 +12,16 @@ profile cron-debsums @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/true rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,e}grep rix,
@{bin}/{,ba,da}sh rix,
@{bin}/true rix,
@{bin}/logger rix,
@{bin}/sed rix,
@{bin}/{,e}grep rix,
/{usr/,}bin/ionice rix,
@{bin}/ionice rix,
/{usr/,}bin/debsums rPx,
/{usr/,}bin/tee rCx -> tee,
@{bin}/debsums rPx,
@{bin}/tee rCx -> tee,
/etc/ r,
/etc/default/debsums r,
@ -38,7 +38,7 @@ profile cron-debsums @{exec_path} {
# Needed to write to /proc/self/fd/3
capability dac_override,
/{usr/,}bin/tee mr,
@{bin}/tee mr,
owner @{PROC}/@{pid}/fd/3 rw,

2
apparmor.d/groups/cron/cron-debtags
View file

@ -11,7 +11,7 @@ profile cron-debtags @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/usr/bin/debtags rPx,

4
apparmor.d/groups/cron/cron-dlocate
View file

@ -11,9 +11,9 @@ profile cron-dlocate @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/update-dlocatedb rPx,
@{bin}/update-dlocatedb rPx,
include if exists <local/cron-dlocate>
}

8
apparmor.d/groups/cron/cron-etckeeper
View file

@ -13,10 +13,10 @@ profile cron-etckeeper @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/find rix,
/{usr/,}bin/etckeeper rPx,
@{bin}/{,ba,da}sh rix,
@{bin}/rm rix,
@{bin}/find rix,
@{bin}/etckeeper rPx,
/etc/etckeeper/daily rix,
/etc/etckeeper/etckeeper.conf r,

26
apparmor.d/groups/cron/cron-exim4-base
View file

@ -24,22 +24,22 @@ profile cron-exim4-base @{exec_path} {
network netlink raw,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/logger rix,
/{usr/,}bin/mail rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/find rix,
/{usr/,}sbin/eximstats rix,
@{bin}/sed rix,
@{bin}/{,e}grep rix,
@{bin}/logger rix,
@{bin}/mail rix,
@{bin}/hostname rix,
@{bin}/xargs rix,
@{bin}/find rix,
@{bin}/eximstats rix,
/{usr/,}sbin/exim4 rPx,
/{usr/,}sbin/exim_tidydb rix,
@{bin}/exim4 rPx,
@{bin}/exim_tidydb rix,
/{usr/,}sbin/start-stop-daemon rix,
/{usr/,}sbin/runuser rix,
@{bin}/start-stop-daemon rix,
@{bin}/runuser rix,
/etc/default/exim4 r,

4
apparmor.d/groups/cron/cron-ipset-autoban-save
View file

@ -12,9 +12,9 @@ profile cron-ipset-autoban-save @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/ipset rix,
@{bin}/ipset rix,
/etc/peerblock/autoban rw,

6
apparmor.d/groups/cron/cron-logrotate
View file

@ -11,11 +11,11 @@ profile cron-logrotate @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/logrotate rPx,
@{bin}/logrotate rPx,
/{usr/,}bin/logger rix,
@{bin}/logger rix,
# For shell pwd
/ r,

12
apparmor.d/groups/cron/cron-man-db
View file

@ -16,14 +16,14 @@ profile cron-man-db @{exec_path} {
capability setuid,
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}sbin/start-stop-daemon rix,
/{usr/,}bin/xargs rix,
/{usr/,}bin/find rix,
@{bin}/{,e}grep rix,
@{bin}/start-stop-daemon rix,
@{bin}/xargs rix,
@{bin}/find rix,
/{usr/,}bin/mandb rPx,
@{bin}/mandb rPx,
owner @{PROC}/@{pid}/fd/ r,

18
apparmor.d/groups/cron/cron-mlocate
View file

@ -12,17 +12,17 @@ profile cron-mlocate @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/true rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/nocache rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/nice rix,
@{bin}/which{,.debianutils} rix,
@{bin}/true rix,
@{bin}/flock rix,
@{bin}/nocache rix,
@{bin}/ionice rix,
@{bin}/nice rix,
/{usr/,}bin/updatedb.mlocate rPx,
/{usr/,}sbin/on_ac_power rPx,
@{bin}/updatedb.mlocate rPx,
@{bin}/on_ac_power rPx,
@{run}/mlocate.daily.lock rwk,

18
apparmor.d/groups/cron/cron-plocate
View file

@ -12,17 +12,17 @@ profile cron-plocate @{exec_path} {
include <abstractions/consoles>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/true rix,
/{usr/,}bin/flock rix,
/{usr/,}bin/nocache rix,
/{usr/,}bin/ionice rix,
/{usr/,}bin/nice rix,
@{bin}/which{,.debianutils} rix,
@{bin}/true rix,
@{bin}/flock rix,
@{bin}/nocache rix,
@{bin}/ionice rix,
@{bin}/nice rix,
/{usr/,}sbin/updatedb.plocate rPx,
/{usr/,}sbin/on_ac_power rPx,
@{bin}/updatedb.plocate rPx,
@{bin}/on_ac_power rPx,
@{run}/plocate.daily.lock rwk,

64
apparmor.d/groups/cron/cron-popularity-contest
View file

@ -11,28 +11,28 @@ profile cron-popularity-contest @{exec_path} {
include <abstractions/base>
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx,
@{bin}/popularity-contest rPx,
/{usr/,}bin/logger rix,
/{usr/,}bin/date rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/setsid rix,
@{bin}/logger rix,
@{bin}/date rix,
@{bin}/mktemp rix,
@{bin}/mkdir rix,
@{bin}/rm rix,
@{bin}/mv rix,
@{bin}/cat rix,
@{bin}/setsid rix,
# To send reports via TOR
/{usr/,}bin/torify rix,
/{usr/,}bin/torsocks rix,
/{usr/,}sbin/getcap rix,
@{bin}/torify rix,
@{bin}/torsocks rix,
@{bin}/getcap rix,
/usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}sbin/runuser rCx -> runuser,
/{usr/,}bin/savelog rCx -> savelog,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/runuser rCx -> runuser,
@{bin}/savelog rCx -> savelog,
/usr/share/popularity-contest/ r,
/usr/share/popularity-contest/default.conf r,
@ -62,18 +62,18 @@ profile cron-popularity-contest @{exec_path} {
profile savelog {
include <abstractions/base>
/{usr/,}bin/savelog mr,
@{bin}/savelog mr,
/{usr/,}bin/date rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/which{,.debianutils} rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/touch rix,
/{usr/,}bin/gzip rix,
@{bin}/date rix,
@{bin}/basename rix,
@{bin}/which{,.debianutils} rix,
@{bin}/dirname rix,
@{bin}/rm rix,
@{bin}/mv rix,
@{bin}/touch rix,
@{bin}/gzip rix,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/var/log/ r,
/var/log/popularity-contest.[0-9]*.gz rw,
@ -91,11 +91,11 @@ profile cron-popularity-contest @{exec_path} {
include <abstractions/nameservice-strict>
include <abstractions/authentication>
/{usr/,}sbin/runuser mr,
@{bin}/runuser mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
/{usr/,}sbin/popularity-contest rPx,
@{bin}/popularity-contest rPx,
owner @{PROC}/@{pids}/loginuid r,
@{PROC}/1/limits r,
@ -113,7 +113,7 @@ profile cron-popularity-contest @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/gpg{,2} mr,
@{bin}/gpg{,2} mr,
/usr/share/popularity-contest/debian-popcon.gpg r,
@ -141,9 +141,9 @@ profile cron-popularity-contest @{exec_path} {
network netlink raw,
/usr/share/popularity-contest/popcon-upload r,
/{usr/,}bin/perl r,
@{bin}/perl r,
/{usr/,}bin/gzip rix,
@{bin}/gzip rix,
/var/log/ r,
/var/log/popularity-contest.new.gpg r,

4
apparmor.d/groups/cron/cron-sysstat
View file

@ -13,8 +13,8 @@ profile cron-sysstat @{exec_path} {
@{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}lib/sysstat/sa2 rPx,
@{bin}/{,ba,da}sh rix,
@{lib}/sysstat/sa2 rPx,
/etc/default/sysstat r,

16
apparmor.d/groups/cron/crontab
View file

@ -6,7 +6,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/crontab
@{exec_path} = @{bin}/crontab
profile crontab @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -17,11 +17,11 @@ profile crontab @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/{,ba,da}sh rix,
@{bin}/{,ba,da}sh rix,
# When editing the crontab file
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
@{bin}/sensible-editor rCx -> editor,
@{bin}/vim.* rCx -> editor,
/etc/cron.{allow,deny} r,
@ -38,10 +38,10 @@ profile crontab @{exec_path} {
capability fsetid,
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/sensible-editor mr,
@{bin}/vim.* mrix,
@{bin}/{,ba,da}sh rix,
@{bin}/which{,.debianutils} rix,
owner @{HOME}/.selected_editor r,