From 3a568ba3074cc95ccdc0763a9bcd4c439a7d8677 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 15:17:03 +0200 Subject: [PATCH] feat(profile): add more programs to the list of sbin program. --- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- .../groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/filesystem/btrfs-convert | 2 +- apparmor.d/groups/filesystem/btrfs-image | 2 +- apparmor.d/groups/filesystem/btrfstune | 2 +- apparmor.d/groups/filesystem/mount-nfs | 4 +- apparmor.d/groups/filesystem/nfsdcld | 2 +- .../freedesktop/plymouth-set-default-theme | 2 +- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/systemsettings | 2 +- apparmor.d/groups/pacman/mkinitcpio | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/steam/steam | 4 +- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/groups/utils/lspci | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 2 +- apparmor.d/profiles-a-f/chronyd | 2 +- apparmor.d/profiles-a-f/crda | 2 +- apparmor.d/profiles-a-f/fatresize | 2 +- apparmor.d/profiles-g-l/gpartedbin | 6 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 6 +- apparmor.d/profiles-g-l/hwinfo | 4 +- apparmor.d/profiles-g-l/install-info | 2 +- apparmor.d/profiles-g-l/inxi | 2 +- apparmor.d/profiles-g-l/irqbalance | 2 +- apparmor.d/profiles-g-l/issue-generator | 2 +- apparmor.d/profiles-m-r/monitorix | 2 +- apparmor.d/profiles-m-r/os-prober | 4 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/rngd | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/ss | 2 +- apparmor.d/profiles-s-z/tomb | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wsdd | 2 +- tests/sbin.list | 287 ++++++++++++++++++ 44 files changed, 338 insertions(+), 51 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index c6fc2dff2..b64317a57 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-notify +@{exec_path} = @{sbin}/aa-notify profile aa-notify @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 7c53f7c8d..68729b7fe 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -21,7 +21,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/netstat Px, - @{bin}/ss Px, + @{sbin}/ss Px, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 2778b2b39..3e60798e9 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -55,7 +55,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, @{sbin}/on_ac_power rPx, - @{bin}/sendmail rPUx, + @{sbin}/sendmail rPUx, @{lib}/apt/methods/http{,s} rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/update-notifier/update-motd-updates-available rPx, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index cfdaeed3f..052180a99 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -20,7 +20,7 @@ profile xdm-xsession @{exec_path} { @{bin}/basename rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/dirname rix, @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, diff --git a/apparmor.d/groups/filesystem/btrfs-convert b/apparmor.d/groups/filesystem/btrfs-convert index 2dccbf1fd..22715c857 100644 --- a/apparmor.d/groups/filesystem/btrfs-convert +++ b/apparmor.d/groups/filesystem/btrfs-convert @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-convert +@{exec_path} = @{sbin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-image b/apparmor.d/groups/filesystem/btrfs-image index 6f18ac095..48be7c381 100644 --- a/apparmor.d/groups/filesystem/btrfs-image +++ b/apparmor.d/groups/filesystem/btrfs-image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-image +@{exec_path} = @{sbin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfstune b/apparmor.d/groups/filesystem/btrfstune index f8fa4a047..24a8ef46e 100644 --- a/apparmor.d/groups/filesystem/btrfstune +++ b/apparmor.d/groups/filesystem/btrfstune @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfstune +@{exec_path} = @{sbin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mount-nfs b/apparmor.d/groups/filesystem/mount-nfs index 26f3e2d57..f670b62d7 100644 --- a/apparmor.d/groups/filesystem/mount-nfs +++ b/apparmor.d/groups/filesystem/mount-nfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mount.nfs +@{exec_path} = @{sbin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, - @{bin}/start-statd rix, + @{sbin}/start-statd rix, @{bin}/systemctl rCx -> systemctl, /etc/fstab r, diff --git a/apparmor.d/groups/filesystem/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld index be122a3cb..23ecc576e 100644 --- a/apparmor.d/groups/filesystem/nfsdcld +++ b/apparmor.d/groups/filesystem/nfsdcld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nfsdcld +@{exec_path} = @{sbin}/nfsdcld profile nfsdcld @{exec_path} { include diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index bd5a34dcd..b9b2cfd45 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/plymouth-set-default-theme +@{exec_path} = @{sbin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 3f5cf6109..e8a0315bd 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -37,7 +37,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 06fdf1601..3274a5e6d 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -19,7 +19,7 @@ profile grub-install @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/kmod rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 0ca05d549..8034d7e54 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -21,7 +21,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cut rix, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 6c29d9680..25eccc93d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -19,7 +19,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/wsdd rPx, + @{sbin}/wsdd rPx, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 4d883303f..b4111d6d0 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -76,7 +76,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{shells_path} rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/disable-paste rix, @{bin}/locale rix, @{bin}/manpath rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6..0d7156502 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -29,7 +29,7 @@ profile systemsettings @{exec_path} { @{bin}/cat rix, @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/openssl rix, @{bin}/pactl rPx, @{bin}/plasma-discover rPx, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index fdd9618fc..785f4f448 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -47,7 +47,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/{modinfo,rmmod} rPx, @{sbin}/modprobe rPx, @{bin}/plymouth rPx, - @{bin}/plymouth-set-default-theme rPx, + @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, @{bin}/sync rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 2d80b673a..8d7345fda 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -74,7 +74,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, - @{bin}/install-info rPx, + @{sbin}/install-info rPx, @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 73c78f2ed..11e863972 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, - @{bin}/lspci rCx -> lspci, + @{sbin}/lspci rCx -> lspci, @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{bin}/lspci mr, + @{sbin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 1a9d51b35..3861056b8 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -45,7 +45,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{bin}/ddcutil rPx, @{sbin}/dmsetup rPx, @{sbin}/ethtool rix, - @{bin}/issue-generator rPx, + @{sbin}/issue-generator rPx, @{sbin}/kdump-config rPUx, @{bin}/kmod rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index b390346bb..7fc88e41a 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/lspci +@{exec_path} = @{sbin}/lspci profile lspci @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf..c4741b09a 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 8d94da3db..aa0a365fd 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -27,7 +27,7 @@ profile atd @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/sendmail rPUx, + @{sbin}/sendmail rPUx, @{bin}/exim4 rPx, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index 155d82f07..e4a986c8a 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/chronyd +@{exec_path} = @{sbin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 50d34bad4..d3b6cba6f 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/crda +@{exec_path} = @{sbin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 8db6bde6f..6f4c86647 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatresize +@{exec_path} = @{sbin}/fatresize profile fatresize @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 29bac6a2f..235d0cadc 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -39,9 +39,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rCx -> udevadm, @{bin}/umount rCx -> umount, - @{bin}/btrfs rPx, - @{bin}/btrfstune rPx, - @{bin}/dmraid rPUx, + @{sbin}/btrfs rPx, + @{sbin}/btrfstune rPx, + @{sbin}/dmraid rPUx, @{sbin}/dmsetup rPUx, @{sbin}/dumpe2fs rPx, @{sbin}/e2fsck rPx, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 97fad1f13..459efa23e 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -53,7 +53,7 @@ profile hardinfo @{exec_path} { @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2a1244ef7..fc6b8775b 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -24,7 +24,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/find rix, @{bin}/md5sum rix, @@ -53,7 +53,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, @{sbin}/hdparm rPx, - @{bin}/hwinfo rPx, + @{sbin}/hwinfo rPx, @{bin}/i2cdetect rPx, @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, @@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 21165acec..4919d2fb2 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hwinfo +@{exec_path} = @{sbin}/hwinfo profile hwinfo @{exec_path} { include include @@ -29,7 +29,7 @@ profile hwinfo @{exec_path} { @{bin}/udevadm rCx -> udevadm, @{sbin}/acpidump rPUx, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, /usr/share/hwinfo/{,**} r, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index f155339b1..e7fdfd95a 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/install-info +@{exec_path} = @{sbin}/install-info profile install-info @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a2..01d358fbf 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -51,7 +51,7 @@ profile inxi @{exec_path} { @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/openbox rPx, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index fec2d7c93..022dc92d5 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/irqbalance +@{exec_path} = @{sbin}/irqbalance profile irqbalance @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 8f2d53f76..7783c8005 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/issue-generator +@{exec_path} = @{sbin}/issue-generator profile issue-generator @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index cf77b7ab8..b640d90fd 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -41,7 +41,7 @@ profile monitorix @{exec_path} { @{bin}/tail rix, @{bin}/{m,g,}awk rix, @{bin}/free rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{bin}/who rix, @{sbin}/lvm rix, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index fc071d80f..162c0b743 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -27,10 +27,10 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,f,}grep rix, @{sbin}/blkid rPx, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, @{sbin}/grub-probe rPx, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index c3df0072d..ca93ade6b 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -63,7 +63,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{bin}/install-info rPx, + @{sbin}/install-info rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 8ae73c5d0..ebbf0a5ab 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rngd +@{exec_path} = @{sbin}/rngd profile rngd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 019e89e23..b45dd3986 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/setpci +@{exec_path} = @{sbin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index a942cac4f..2ce6b6b4d 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ss +@{exec_path} = @{sbin}/ss profile ss @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index a9db94276..508ac6eff 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -66,7 +66,7 @@ profile tomb @{exec_path} { @{bin}/tr rix, @{bin}/zsh rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, @{bin}/e2fsc rPUx, @{sbin}/fsck rPx, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..68ddb97a5 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 20575b2a8..7aa812f79 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/wsdd +@{exec_path} = @{sbin}/wsdd profile wsdd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 91057a403..869729543 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -9,22 +9,29 @@ aa-genprof aa-load aa-logprof aa-mergeprof +aa-notify aa-remove-unknown aa-status aa-teardown aa-unconfined aa-update-browser accessdb +acpi_genl acpid +acpidump add-shell addgnupghome addgroup +addpart adduser agetty alsa alsa-info +alsa-info.sh +alsa-init alsabat-test alsactl +alternatives anacron apparmor_parser apparmor_status @@ -44,13 +51,17 @@ atd audisp-af_unix audisp-filter audisp-syslog +audit auditctl auditd augenrules aureport ausearch +autodep +automount autrace avahi-daemon +avahi-dnsconfd badblocks bashreadline-bpfcc bashreadline.bt @@ -71,17 +82,26 @@ bitesize.bt blkdeactivate blkdiscard blkid +blkmapd blkpr blkzone blockdev +blogctl +blogd +blogger bluetoothd bpflist-bpfcc bpftool bridge brltty brltty-setup +btrfs +btrfs-convert +btrfs-image +btrfsck btrfsdist-bpfcc btrfsslower-bpfcc +btrfstune cache_check cache_dump cache_metadata_size @@ -97,16 +117,22 @@ cfdisk cgdisk chat chcpu +check_mail_queue check-bios-nx +checkproc chgpasswd +chkstat-polkit chmem chpasswd +chronyd chroot cifs.idmap cifs.upcall cobjnew-bpfcc coldreboot compactsnoop-bpfcc +complain +config.postfix cpgr cppw cpudist-bpfcc @@ -116,6 +142,8 @@ cracklib-check cracklib-format cracklib-packer cracklib-unpacker +cracklib-update +crda create-cracklib-dict criticalstat-bpfcc cron @@ -123,7 +151,10 @@ cryptdisks_start cryptdisks_stop cryptsetup ctrlaltdel +ctstat cups-browsed +cups-genppd.5.3 +cups-genppdupdate cupsaccept cupsctl cupsd @@ -137,20 +168,27 @@ dcb dcsnoop-bpfcc dcsnoop.bt dcstat-bpfcc +ddns-confgen deadlock-bpfcc debugfs debugfs.reiserfs debugreiserfs +decode defrag.f2fs delgroup +delpart deluser depmod devlink dhcpcd dirtop-bpfcc +disable dkms +dmevent_tool dmeventd +dmfilemapd dmidecode +dmraid dmsetup dmstats dnsmasq @@ -172,6 +210,7 @@ e2scrub_all e2undo e4crypt e4defrag +eapol_test ebtables ebtables-nft ebtables-nft-restore @@ -179,11 +218,17 @@ ebtables-nft-save ebtables-restore ebtables-save ebtables-translate +ec_access +efibootdump +efibootmgr +enforce era_check era_dump era_invalidate era_restore ethtool +eventlogadm +exec execsnoop-bpfcc execsnoop.bt exfat2img @@ -196,7 +241,11 @@ f2fscrypt f2fslabel f2fsslower-bpfcc faillock +fancontrol fatlabel +fatresize +fbtest +fdformat fdisk fibmap.f2fs filefrag @@ -207,6 +256,8 @@ filetop-bpfcc findfs firewalld fixparts +flushb +fonts-config fsadm fsck fsck.btrfs @@ -229,17 +280,23 @@ funccount-bpfcc funcinterval-bpfcc funclatency-bpfcc funcslower-bpfcc +g13-syshelp gdisk +gdm gdm3 genl +genprof getcap gethostlatency-bpfcc gethostlatency.bt getpcaps +getsysinfo getty getweb gnome-menus-blacklist +gpart gparted +gpm groupadd groupdel groupmems @@ -255,16 +312,36 @@ grub-mkdevicemap grub-probe grub-reboot grub-set-default +grub2-bios-setup +grub2-check-default +grub2-install +grub2-macbless +grub2-mkconfig +grub2-ofpathname +grub2-once +grub2-probe +grub2-reboot +grub2-set-default +grub2-sparc64-setup +grub2-switch-to-blscfg halt hardirqs-bpfcc hc-ifscan hdparm hwclock +hwinfo iconvconfig ifconfig +ifrename +ifstat +import-openSUSE-build-key init inject-bpfcc +inputattach insmod +install_acx100_firmware +install_intersil_firmware +install-info install-sgmlcatalog installkernel integritysetup @@ -273,6 +350,7 @@ ip ip6tables ip6tables-apply ip6tables-legacy +ip6tables-legacy-batch ip6tables-legacy-restore ip6tables-legacy-save ip6tables-nft @@ -292,6 +370,7 @@ ipset-translate iptables iptables-apply iptables-legacy +iptables-legacy-batch iptables-legacy-restore iptables-legacy-save iptables-nft @@ -302,6 +381,8 @@ iptables-restore-translate iptables-save iptables-translate iptunnel +irqbalance +irqbalance-ui isadump isaset iscsi_discovery @@ -311,6 +392,8 @@ iscsid iscsistart isosize ispell-autobuildhash +isserial +issue-generator iucode_tool iucode-tool iw @@ -327,15 +410,19 @@ javaobjnew-bpfcc javastat-bpfcc javathreads-bpfcc kbdrate +kbdsettings kdump-config kerneloops kexec +kexec-bootloader kexec-load-kernel key.dns_resolver killall5 +killproc killsnoop-bpfcc killsnoop.bt klockstat-bpfcc +klogd kpartx kvm-ok kvmexit-bpfcc @@ -347,9 +434,12 @@ libgvc6-config-update libvirt-dbus libvirtd llcstat-bpfcc +lnstat loads.bt locale-gen +logprof logrotate +logrotate-all logsave losetup lpadmin @@ -357,6 +447,7 @@ lpc lpinfo lpmove lsmod +lspci lspcmcia luksformat lvchange @@ -365,7 +456,9 @@ lvcreate lvdisplay lvextend lvm +lvm_import_vdo lvmconfig +lvmdevices lvmdiskscan lvmdump lvmpolld @@ -377,16 +470,21 @@ lvrename lvresize lvs lvscan +lwepgen lxc lxd make-bcache make-ssl-cert +mariadbd +mcelog mdadm mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc mii-tool +mk_isdnhwdb +mkdict mkdosfs mke2fs mkfs @@ -406,10 +504,13 @@ mkfs.reiserfs mkfs.vfat mkfs.xfs mkhomedir_helper +mkill mkinitramfs mklost+found mkntfs +mkpostfixcert mkreiserfs +mksubvolume mkswap ModemManager modinfo @@ -419,14 +520,18 @@ mount.ddi mount.fuse mount.fuse3 mount.lowntfs-3g +mount.nfs +mount.nfs4 mount.ntfs mount.ntfs-3g mount.smb3 mountsnoop-bpfcc +mountstats mpathpersist multipath multipathc multipathd +mysqld mysqld_qslower-bpfcc nameif naptime.bt @@ -436,12 +541,21 @@ netqtop-bpfcc NetworkManager newusers nfnl_osf +nfsconf +nfsdcld nfsdist-bpfcc +nfsidmap +nfsiostat nfsslower-bpfcc +nfsstat nft +nmbd nodegc-bpfcc nodestat-bpfcc nologin +notify +nss-mdns-config +nstat ntfsclone ntfscp ntfslabel @@ -452,22 +566,28 @@ offwaketime-bpfcc on_ac_power oomkill-bpfcc oomkill.bt +openconnect opensnoop-bpfcc opensnoop.bt openvpn overlayroot-chroot ownership +packer pam_extrausers_chkpwd pam_extrausers_update pam_getenv pam_namespace_helper pam_timestamp_check pam-auth-update +pam-config paperconfig parse.f2fs parted partprobe +partx +pbl pccardctl +pcilmr pcscd pdata_tools perlcalls-bpfcc @@ -476,11 +596,26 @@ perlstat-bpfcc phpcalls-bpfcc phpflow-bpfcc phpstat-bpfcc +pidofproc pidpersec-bpfcc pidpersec.bt pivot_root plipconfig +pluginviewer +plymouth-set-default-theme plymouthd +postalias +postcat +postconf +postdrop +postfix +postkick +postlock +postlog +postmap +postmulti +postqueue +postsuper poweroff ppchcalls-bpfcc pppd @@ -502,18 +637,96 @@ pvscan pwck pwconv pwhistory_helper +pwmconfig pwunconv pythoncalls-bpfcc pythonflow-bpfcc pythongc-bpfcc pythonstat-bpfcc qemu-ga +qmqp-source rarp +rcapparmor +rcauditd +rcautofs +rcavahi-daemon +rcavahi-dnsconfd +rcblk-availability +rcbolt +rcbtrfsmaintenance-refresh +rcca-certificates +rcchrony-wait +rcchronyd +rccolord +rccron +rccups +rccups-browsed +rccups-lpd +rcdbus +rcdisplay-manager +rcdm-event +rcdnsmasq +rcfancontrol +rcfirewalld +rcflatpak-system-helper +rcfstrim +rcfwupd +rcfwupd-offline-update +rcfwupd-refresh +rcgpm +rcirqbalance +rcissue-add-ssh-keys +rcissue-generator +rckexec-load +rclm_sensors +rclogrotate +rclvm2-lvmpolld +rclvm2-monitor +rcmariadb +rcmcelog +rcmdmonitor +rcModemManager +rcmultipathd +rcmysql +rcnetwork +rcnfs-client +rcnmb +rcopenvpn +rcostree-prepare-root +rcostree-remount +rcpackagekit +rcpackagekit-offline-update +rcpcscd +rcpkcs11_eventmgr +rcpostfix +rcrng-tools +rcrpcbind +rcrsyncd +rcrtkit-daemon +rcsddm +rcsmartd +rcsmb +rcsnmpd +rcsnmptrapd +rcspeech-dispatcherd +rcspice-vdagentd +rcsshd +rctuned +rcudisks2 +rcupower +rcusbmuxd +rcwpa_supplicant +rcwsdd +rcxdm +rcxvnc +rdma rdmaucma-bpfcc rdmsr readahead-bpfcc readprofile reboot +refresh_initrd +regdbdump reiserfsck reiserfstune remove-default-ispell @@ -524,17 +737,33 @@ reset-trace-bpfcc resize_reiserfs resize.f2fs resize2fs +resizepart resolvconf rfkill rmmod rmt rmt-tar +rndc +rndc-confgen +rngd route +routel +rpc.gssd +rpc.idmapd +rpc.statd +rpc.svcgssd +rpcbind +rpcctl +rpcdebug +rpcinfo +rpmconfigcheck +rsyncd rsyslogd rtacct rtcwake rtkitctl rtmon +rtstat rubycalls-bpfcc rubyflow-bpfcc rubygc-bpfcc @@ -547,38 +776,67 @@ runqlen-bpfcc runqlen.bt runqslower-bpfcc runuser +rvmtab saned +sasldblistusers2 +saslpasswd2 +save_y2logs +schema2ldif select-default-ispell select-default-wordlist +sendmail sensors-detect service +set_polkit_default_privs setcap +setconsole +setpci setuids.bt +setup-nsssysinit.sh setvesablank setvtrgb sfdisk sgdisk shadowconfig +shim-install shmsnoop-bpfcc +showconsole +showmount shutdown +skdump +sktest slabratetop-bpfcc slattach sload.f2fs +sm-notify +smart_agetty smartctl smartd +smbd +smtp-sink +smtp-source +snapperd +snmpd +snmptrapd sofdsnoop-bpfcc softirqs-bpfcc solisten-bpfcc spice-vdagentd +ss sshd +sshd-gen-keys-start ssllatency.bt sslsniff-bpfcc sslsnoop.bt sssd stackcount-bpfcc +start_daemon +start-statd start-stop-daemon +startproc statsnoop-bpfcc statsnoop.bt +status sudo_logsrvd sudo_sendlog sulogin @@ -590,9 +848,11 @@ switch_root sync-available syncsnoop-bpfcc syncsnoop.bt +sysconf_addword syscount-bpfcc syscount.bt sysctl +sysusers2shadow tarcat tc tclcalls-bpfcc @@ -638,20 +898,30 @@ tlp tplist-bpfcc trace-bpfcc traceroute +tsig-keygen ttysnoop-bpfcc tune.exfat tune2fs +tuned +tuned-adm tunefs.reiserfs +tunelp u-d-c-print-pci-ids ucalls uflow ufw ugc +umount.nfs +umount.nfs4 umount.udisks2 +unconfined undump.bt unix_chkpwd unix_update +unix2_chkpwd uobjnew +update-alternatives +update-bootloader update-ca-certificates update-catalog update-cracklib @@ -693,6 +963,7 @@ ustat uthreads uuidd validlocale +vconfig vcstime vdpa veritysetup @@ -711,6 +982,7 @@ vgexport vgextend vgimport vgimportclone +vgimportdevices vgmerge vgmknodes vgreduce @@ -719,22 +991,30 @@ vgrename vgs vgscan vgsplit +vhangup vigr vipw +virt-what virtiostat-bpfcc virtlockd virtlogd visudo vmcore-dmesg +vncsession vpddecode +vpnc +vpnc-disconnect wakeuptime-bpfcc wipefs +wiper.sh wpa_action wpa_cli +wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt wrmsr +wsdd xfs_admin xfs_bmap xfs_copy @@ -750,6 +1030,7 @@ xfs_mdrestore xfs_metadump xfs_mkfile xfs_ncheck +xfs_property xfs_quota xfs_repair xfs_rtcp @@ -759,11 +1040,17 @@ xfs_spaceman xfsdist-bpfcc xfsdist.bt xfsslower-bpfcc +xkbctrl xtables-legacy-multi xtables-monitor xtables-nft-multi +yast +yast2 +zdump zerofree zfsdist-bpfcc zfsslower-bpfcc zic zramctl +zypp-refresh +zypper-log