From 354dec1fedfe346c6c1f642838259b24ff326aa9 Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 7 Jun 2024 17:55:12 +0200 Subject: [PATCH] Delete apparmor.d/groups/runit directory --- apparmor.d/groups/runit/chpst | 21 ---- apparmor.d/groups/runit/runsv | 178 ----------------------------- apparmor.d/groups/runit/runsvchdir | 28 ----- apparmor.d/groups/runit/runsvdir | 64 ----------- apparmor.d/groups/runit/sv | 152 ------------------------ 5 files changed, 443 deletions(-) delete mode 100644 apparmor.d/groups/runit/chpst delete mode 100644 apparmor.d/groups/runit/runsv delete mode 100644 apparmor.d/groups/runit/runsvchdir delete mode 100644 apparmor.d/groups/runit/runsvdir delete mode 100644 apparmor.d/groups/runit/sv diff --git a/apparmor.d/groups/runit/chpst b/apparmor.d/groups/runit/chpst deleted file mode 100644 index dbbc4fd67..000000000 --- a/apparmor.d/groups/runit/chpst +++ /dev/null @@ -1,21 +0,0 @@ - -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /sbin/chpst @{bin}/chpst -profile chpst @{exec_path} { - include - include - - @{exec_path} mr, - - @{bin}/agetty rPx, - @{bin}/pause rix, - - include if exists -} diff --git a/apparmor.d/groups/runit/runsv b/apparmor.d/groups/runit/runsv deleted file mode 100644 index 7395e4c0f..000000000 --- a/apparmor.d/groups/runit/runsv +++ /dev/null @@ -1,178 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/runsv -profile runsv @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - capability fsetid, - capability fowner, - capability mknod, - capability chown, - capability setgid, - capability setpcap, - capability setuid, - capability fowner, - capability kill, - - signal (send) peer=runsvdir, - signal (send) peer=runit, - signal (send) peer=NetworkManager, - signal (send) peer=agetty, - signal (send) set=(cont, term) peer=login, - signal (send) set=(cont, term) peer=dhcpcd, - signal (send) set=(cont, term) peer=sddm, - signal (send) peer=pause, - signal (send) peer=cupsd, - signal (send) peer=auditd, - signal (send) peer=chronyd, - signal (send) peer=dbus-daemon, - signal (send) peer=udevd, - signal (send) peer=rsyslogd, - signal (send) set=(kill, term) peer=startlxqt, - signal (send) set=(kill, term) peer=xorg, - signal (send) set=(term, cont) peer=@{p_systemd}, - signal (receive) peer=runit, - signal (receive) peer=sddm, - signal (send) set=(cont, term) peer=elogind, - signal (receive) set=(cont, term) peer=elogind, - signal (receive) set=(hup) peer=@{p_systemd}, - - ptrace (read) peer=elogind, - ptrace (read) peer=@{p_systemd}, - ptrace (trace) peer=@{profile_name}, - - @{exec_path} mr, - - @{bin}/sv rPx, - @{bin}/vlogger rPx, - @{bin}/udevadm rCx -> udevadm, - @{bin}/tlp rPx, - @{bin}/readlink rix, - @{bin}/ethtool rix, - @{bin}/agetty rPx, - @{bin}/id rPx, - @{bin}/rsyslogd rPx, - @{bin}/iw rPx, - @{bin}/cupsd rPx, - @{bin}/dhcpcd rPx, - @{bin}/udevd rPx, - @{bin}/dbus-daemon rPx, - @{bin}/auditd rPx, - @{bin}/chronyd rPx, - @{bin}/NetworkManager rPx, - @{bin}/mount rPx, - @{bin}/sddm rPx, - @{bin}/pause rix, - @{bin}/install rix, - @{bin}/chpst rPx, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/dbus-send rix, - @{bin}/utmpset rix, - @{lib}exec/elogind/elogind rPx, - @{lib}exec/elogind/elogind.wrapper rPx, - @{bin}/bash rPx, - @{bin}/tr rPx, - @{bin}/rm rix, - @{bin}/touch rix, - @{bin}/flock rix, - @{bin}/cat rix, - @{bin}/grep rPx, - @{bin}/mountpoint rix, - @{bin}/systemctl rCx -> systemctl, - - /etc/sv/**/run rix, - /etc/sv/**/**/run rix, - /etc/sv/**/finish rix, - /etc/sv/**/run rix, - /etc/sv/dbus/check rix, - - mount fstype=tmpfs -> @{run}/systemd/, - mount fstype=tmpfs -> @{run}/user/, - mount fstype=cgroup -> @{sys}/fs/cgroup/elogind/, - umount @{run}/systemd/ , - umount @{run}/user/ , - umount @{sys}/fs/cgroup/elogind/ , - - /etc/sv/ r, - /etc/sv/** rw, - /etc/runit/ r, - /etc/runit/** rw, - - @{run}/ rw, - @{run}/*/ rw, - @{run}/*/* rw, - @{run}/auditd.pid r, - @{run}/credentials/{,**} rw, - @{run}/initctl rw, - @{run}/systemd/{,**} rw, - - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, - @{run}/runit/** rw, - owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/runit/supervise.*/** rwk, - owner @{run}/runit/supervise.*/**/** rwk, - owner @{run}/dhcpcd/ rw, - owner @{run}/elogind.pid rwk, - owner @{run}/utmp rwk, - - @{sys}/fs/cgroup/{,**} rw, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/uid_map rw, - @{PROC}/sys/fs/binfmt_misc/ r, - - owner /var/log/audit/** rw, - owner /var/log/audit/**/** rw, - owner /var/log/wtmp rwk, - - owner /dev/tty@{int} rw, - - profile systemctl { - include - include - - } - - profile udevadm { - include - - capability sys_ptrace, - - ptrace (read), - - @{bin}/udevadm mr, - - /etc/udev/udev.conf r, - - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/1/cgroup r, - @{PROC}/sys/kernel/random/boot_id r, - - } - -include if exists -} - diff --git a/apparmor.d/groups/runit/runsvchdir b/apparmor.d/groups/runit/runsvchdir deleted file mode 100644 index 62b663afe..000000000 --- a/apparmor.d/groups/runit/runsvchdir +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/runsvchdir -profile runsvchdir @{exec_path} { - include - include - - @{exec_path} mr, - - owner @{run}/runit/runsvdir/ rw, - owner @{run}/runit/runsvdir/** rw, - owner @{run}/runit/runsvdir/current/ rw, - - owner /etc/runit/runsvdir/ rw, - owner /etc/runit/runsvdir/** rw, - owner /etc/runit/runsvdir/current/ rw, - - owner /dev/tty@{int} rw, - - include if exists -} - diff --git a/apparmor.d/groups/runit/runsvdir b/apparmor.d/groups/runit/runsvdir deleted file mode 100644 index 36e1c94d3..000000000 --- a/apparmor.d/groups/runit/runsvdir +++ /dev/null @@ -1,64 +0,0 @@ - -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/runsvdir -profile runsvdir @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - capability setgid, - capability setuid, - capability kill, - - signal (send) set=(term, cont, kill), - signal (send) set=(term) peer=/etc/runit/2, - signal (receive) peer=runit, - signal (receive) peer=runsv, - signal (receive) peer=sddm, - - ptrace (read) peer=elogind, - - @{exec_path} mr, - - @{bin}/dbus-send rix, - @{bin}/runsv rPx, - @{bin}/bash rix, - @{bin}/utmpset rix, - @{bin}/mountpoint rix, - /etc/sv/**/run rix, - /etc/sv/**/**/run rix, - /etc/sv/**/finish rix, - /etc/sv/**/run rix, - /etc/sv/dbus/check rix, - - owner / r, - - /etc/elogind/logind.conf rw, - /etc/machine-id r, - /etc/sv/ r, - /etc/sv/** rw, - /etc/runit/ r, - /etc/runit/** rw, - - owner /dev/tty@{int} rw, - owner /dev/console rwk, - owner /dev/input/event@{int} rw, - - owner /var/log/audit/** rw, - /var/lib/dbus/machine-id r, - - owner /tmp/#@{int}* rw, - owner /tmp/*/{,s} rw, - - include if exists -} diff --git a/apparmor.d/groups/runit/sv b/apparmor.d/groups/runit/sv deleted file mode 100644 index fd8e3c7f3..000000000 --- a/apparmor.d/groups/runit/sv +++ /dev/null @@ -1,152 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/sv -profile sv @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - - capability fsetid, - capability fowner, - capability mknod, - capability fowner, - capability kill, - - signal (send) peer=runsvdir, - signal (send) peer=runit, - signal (receive) peer=runit, - - signal (receive) set=(hup) peer=@{p_systemd}, - signal (receive) peer=sddm, - - ptrace (read) peer=elogind, - ptrace (read) peer=@{p_systemd}, - - @{exec_path} mr, - - @{bin}/mkdir rix, - @{bin}/dbus-send rix, - @{bin}/bash rix, - @{bin}/mountpoint rix, - /etc/sv/**/run rix, - /etc/sv/**/**/run rix, - /etc/sv/**/finish rix, - /etc/sv/**/run rix, - /etc/sv/dbus/check rix, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - /etc/sv/ r, - /etc/sv/** rw, - /etc/runit/ r, - /etc/runit/** rw, - - owner / r, - - owner /etc/pam.d/** r, - - owner @{lib}/security/** r, - owner @{lib}/gconv/gconv-modules.d/** r, - - @{run}/ rw, - @{run}/*/ rw, - @{run}/*/* rw, - @{run}/auditd.pid r, - @{run}/credentials/{,**} rw, - @{run}/initctl rw, - @{run}/systemd/{,**} rw, - - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, - @{run}/udev/tags/systemd/ r, - @{run}/runit/** rw, - owner @{run}/runit/supervise.*/** rwk, - owner @{run}/runit/supervise.*/**/** rwk, - owner @{run}/dhcpcd/ rw, - owner @{run}/elogind.pid rwk, - owner @{run}/utmp rwk, - - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/tty/console/active r, - @{sys}/fs/cgroup/{,**} rw, - @{sys}/fs/fuse/connections/ r, - @{sys}/fs/pstore/ r, - #@{sys}/kernel/**/ r, - @{sys}/kernel/** r, - @{sys}/module/**/uevent r, - @{sys}/module/apparmor/parameters/enabled r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, - @{PROC}/cmdline r, - @{PROC}/devices r, - @{PROC}/pressure/* r, - @{PROC}/swaps r, - @{PROC}/sys/fs/binfmt_misc/ r, - @{PROC}/sys/fs/nr_open r, - @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, - - /dev/autofs r, - /dev/kmsg w, - owner /dev/console rwk, - owner /dev/dri/card@{int} rw, - owner /dev/hugepages/ rw, - owner /dev/initctl rw, - owner /dev/input/event@{int} rw, - owner /dev/mqueue/ rw, - owner /dev/rfkill rw, - owner /dev/shm/ rw, - owner /dev/pts/@{int} rw, - owner /dev/ttyS@{int} rwk, - owner /var/log/audit/** rw, - - owner @{user_config_dirs}/pulse/ rw, - - # file_inherit - owner /dev/tty@{int} rw, - owner @{HOME}/.xsession-errors w, - owner @{HOME}/.anyRemote/anyremote.stdout w, - - include if exists -}