felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add more programs to the list of sbin program.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-01 15:17:03 +02:00
parent dc816178f5
commit 3a568ba307
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
44 changed files with 338 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apparmor/aa-notify
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/aa-notify
@{exec_path} = @{sbin}/aa-notify
profile aa-notify @{exec_path} {
include <abstractions/base>
include <abstractions/bus-session>

2
apparmor.d/groups/apparmor/aa-unconfined
View file

@ -21,7 +21,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
@{bin}/ r,
@{bin}/netstat Px,
@{bin}/ss Px,
@{sbin}/ss Px,
/usr/share/terminfo/** r,

2
apparmor.d/groups/apt/unattended-upgrade
View file

@ -55,7 +55,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{bin}/etckeeper rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{sbin}/on_ac_power rPx,
@{bin}/sendmail rPUx,
@{sbin}/sendmail rPUx,
@{lib}/apt/methods/http{,s} rPx,
@{lib}/needrestart/apt-pinvoke rPx,
@{lib}/update-notifier/update-motd-updates-available rPx,

2
apparmor.d/groups/display-manager/xdm-xsession
View file

@ -20,7 +20,7 @@ profile xdm-xsession @{exec_path} {
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/checkproc rix,
@{sbin}/checkproc rix,
@{bin}/dirname rix,
@{bin}/fortune rPUx,
@{bin}/gpg-agent rPx,

2
apparmor.d/groups/filesystem/btrfs-convert
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfs-convert
@{exec_path} = @{sbin}/btrfs-convert
profile btrfs-convert @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/groups/filesystem/btrfs-image
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfs-image
@{exec_path} = @{sbin}/btrfs-image
profile btrfs-image @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/groups/filesystem/btrfstune
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/btrfstune
@{exec_path} = @{sbin}/btrfstune
profile btrfstune @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

4
apparmor.d/groups/filesystem/mount-nfs
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/mount.nfs
@{exec_path} = @{sbin}/mount.nfs
profile mount-nfs @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/nameservice-strict>
@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) {
@{sh_path} rix,
@{bin}/flock rix,
@{bin}/start-statd rix,
@{sbin}/start-statd rix,
@{bin}/systemctl rCx -> systemctl,
/etc/fstab r,

2
apparmor.d/groups/filesystem/nfsdcld
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/nfsdcld
@{exec_path} = @{sbin}/nfsdcld
profile nfsdcld @{exec_path} {
include <abstractions/base>

2
apparmor.d/groups/freedesktop/plymouth-set-default-theme
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/plymouth-set-default-theme
@{exec_path} = @{sbin}/plymouth-set-default-theme
profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/groups/gnome/gnome-initial-setup
View file

@ -37,7 +37,7 @@ profile gnome-initial-setup @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/locale rix,
@{bin}/lscpu rPx,
@{bin}/lspci rPx,
@{sbin}/lspci rPx,
@{bin}/xrandr rPx,
@{lib}/gnome-initial-setup-goa-helper rix,

2
apparmor.d/groups/grub/grub-install
View file

@ -19,7 +19,7 @@ profile grub-install @{exec_path} flags=(complain) {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/efibootmgr rix,
@{sbin}/efibootmgr rix,
@{bin}/kmod rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/udevadm rPx,

2
apparmor.d/groups/grub/grub-mkconfig
View file

@ -21,7 +21,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
@{bin}/{e,f,}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/basename rix,
@{bin}/btrfs rPx,
@{sbin}/btrfs rPx,
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/cut rix,

2
apparmor.d/groups/gvfs/gvfsd-wsdd
View file

@ -19,7 +19,7 @@ profile gvfsd-wsdd @{exec_path} {
@{exec_path} mr,
@{bin}/env r,
@{bin}/wsdd rPx,
@{sbin}/wsdd rPx,
@{run}/mount/utab r,
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

2
apparmor.d/groups/kde/sddm
View file

@ -76,7 +76,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{shells_path} rix,
@{bin}/cat rix,
@{bin}/checkproc rix,
@{sbin}/checkproc rix,
@{bin}/disable-paste rix,
@{bin}/locale rix,
@{bin}/manpath rix,

2
apparmor.d/groups/kde/systemsettings
View file

@ -29,7 +29,7 @@ profile systemsettings @{exec_path} {
@{bin}/cat rix,
@{bin}/eglinfo rPUx,
@{bin}/kcminit rPx,
@{bin}/lspci rPx,
@{sbin}/lspci rPx,
@{bin}/openssl rix,
@{bin}/pactl rPx,
@{bin}/plasma-discover rPx,

2
apparmor.d/groups/pacman/mkinitcpio
View file

@ -47,7 +47,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
@{bin}/{modinfo,rmmod} rPx,
@{sbin}/modprobe rPx,
@{bin}/plymouth rPx,
@{bin}/plymouth-set-default-theme rPx,
@{sbin}/plymouth-set-default-theme rPx,
@{bin}/sbctl rPx,
@{bin}/sync rPx,

2
apparmor.d/groups/pacman/pacman
View file

@ -74,7 +74,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
@{bin}/gtk{,4}-update-icon-cache rPx,
@{sbin}/iconvconfig rix,
@{bin}/install-catalog rPx,
@{bin}/install-info rPx,
@{sbin}/install-info rPx,
@{sbin}/iscsi-iname rix,
@{bin}/journalctl rPx,
@{bin}/killall rix,

4
apparmor.d/groups/steam/steam
View file

@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{bin}/ldd rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsof rix,
@{bin}/lspci rCx -> lspci,
@{sbin}/lspci rCx -> lspci,
@{bin}/tar rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xdg-icon-resource rPx,
@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
unix receive type=stream,
@{bin}/lspci mr,
@{sbin}/lspci mr,
owner @{HOME}/.steam/steam.pipe r,

2
apparmor.d/groups/systemd/systemd-udevd
View file

@ -45,7 +45,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) {
@{bin}/ddcutil rPx,
@{sbin}/dmsetup rPx,
@{sbin}/ethtool rix,
@{bin}/issue-generator rPx,
@{sbin}/issue-generator rPx,
@{sbin}/kdump-config rPUx,
@{bin}/kmod rPx,
@{bin}/logger rix,

2
apparmor.d/groups/utils/lspci
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lspci
@{exec_path} = @{sbin}/lspci
profile lspci @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-a-f/adequate
View file

@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) {
# shared object file): ignored.
@{bin}/dpkg-query rpx,
#
@{bin}/update-alternatives rPx,
@{sbin}/update-alternatives rPx,
/var/lib/adequate/pending rwk,

2
apparmor.d/profiles-a-f/atd
View file

@ -27,7 +27,7 @@ profile atd @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/sendmail rPUx,
@{sbin}/sendmail rPUx,
@{bin}/exim4 rPx,
@{etc_ro}/environment r,

2
apparmor.d/profiles-a-f/chronyd
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/chronyd
@{exec_path} = @{sbin}/chronyd
profile chronyd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-a-f/crda
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/crda
@{exec_path} = @{sbin}/crda
profile crda @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-a-f/fatresize
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/fatresize
@{exec_path} = @{sbin}/fatresize
profile fatresize @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

6
apparmor.d/profiles-g-l/gpartedbin
View file

@ -39,9 +39,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) {
@{bin}/udevadm rCx -> udevadm,
@{bin}/umount rCx -> umount,
@{bin}/btrfs rPx,
@{bin}/btrfstune rPx,
@{bin}/dmraid rPUx,
@{sbin}/btrfs rPx,
@{sbin}/btrfstune rPx,
@{sbin}/dmraid rPUx,
@{sbin}/dmsetup rPUx,
@{sbin}/dumpe2fs rPx,
@{sbin}/e2fsck rPx,

2
apparmor.d/profiles-g-l/hardinfo
View file

@ -53,7 +53,7 @@ profile hardinfo @{exec_path} {
@{bin}/glxinfo rPx,
@{bin}/xdpyinfo rPx,
@{bin}/lspci rPx,
@{sbin}/lspci rPx,
@{bin}/lsusb rPx,
@{bin}/netstat rPx,
@{bin}/qtchooser rPx,

6
apparmor.d/profiles-g-l/hw-probe
View file

@ -24,7 +24,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
@{bin}/{,e}grep rix,
@{bin}/{m,g,}awk rix,
@{bin}/dd rix,
@{bin}/efibootmgr rix,
@{sbin}/efibootmgr rix,
@{bin}/efivar rix,
@{bin}/find rix,
@{bin}/md5sum rix,
@ -53,7 +53,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
@{bin}/glxinfo rPx,
@{bin}/hciconfig rPx,
@{sbin}/hdparm rPx,
@{bin}/hwinfo rPx,
@{sbin}/hwinfo rPx,
@{bin}/i2cdetect rPx,
@{sbin}/ifconfig rCx -> netconfig,
@{bin}/inxi rPx,
@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsblk rPx,
@{bin}/lscpu rPx,
@{bin}/lspci rPx,
@{sbin}/lspci rPx,
@{bin}/lsusb rPx,
@{bin}/memtester rPx,
@{bin}/nmcli rPx,

4
apparmor.d/profiles-g-l/hwinfo
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/hwinfo
@{exec_path} = @{sbin}/hwinfo
profile hwinfo @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
@ -29,7 +29,7 @@ profile hwinfo @{exec_path} {
@{bin}/udevadm rCx -> udevadm,
@{sbin}/acpidump rPUx,
@{bin}/dmraid rPUx,
@{sbin}/dmraid rPUx,
/usr/share/hwinfo/{,**} r,

2
apparmor.d/profiles-g-l/install-info
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/install-info
@{exec_path} = @{sbin}/install-info
profile install-info @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-g-l/inxi
View file

@ -51,7 +51,7 @@ profile inxi @{exec_path} {
@{bin}/glxinfo rPx,
@{bin}/hddtemp rPx,
@{bin}/lsblk rPx,
@{bin}/lspci rPx,
@{sbin}/lspci rPx,
@{bin}/lsusb rPx,
@{bin}/openbox rPx,
@{bin}/ps rPx,

2
apparmor.d/profiles-g-l/irqbalance
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/irqbalance
@{exec_path} = @{sbin}/irqbalance
profile irqbalance @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>

2
apparmor.d/profiles-g-l/issue-generator
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/issue-generator
@{exec_path} = @{sbin}/issue-generator
profile issue-generator @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-m-r/monitorix
View file

@ -41,7 +41,7 @@ profile monitorix @{exec_path} {
@{bin}/tail rix,
@{bin}/{m,g,}awk rix,
@{bin}/free rix,
@{bin}/ss rix,
@{sbin}/ss rix,
@{bin}/who rix,
@{sbin}/lvm rix,
@{sbin}/xtables-nft-multi rix,

4
apparmor.d/profiles-m-r/os-prober
View file

@ -27,10 +27,10 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix,
@{bin}/{e,f,}grep rix,
@{sbin}/blkid rPx,
@{bin}/btrfs rPx,
@{sbin}/btrfs rPx,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/dmraid rPUx,
@{sbin}/dmraid rPUx,
@{bin}/find rix,
@{bin}/grub-mount rPx,
@{sbin}/grub-probe rPx,

2
apparmor.d/profiles-m-r/packagekitd
View file

@ -63,7 +63,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
@{bin}/dpkg rPx -> child-dpkg, #aa:only apt
@{bin}/fc-cache rPx,
@{bin}/glib-compile-schemas rPx,
@{bin}/install-info rPx,
@{sbin}/install-info rPx,
@{bin}/rpm rPUx, #aa:only opensuse
@{bin}/rpmdb2solv rPUx, #aa:only opensuse
@{bin}/systemd-inhibit rPx,

2
apparmor.d/profiles-m-r/rngd
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/rngd
@{exec_path} = @{sbin}/rngd
profile rngd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/devices-usb>

2
apparmor.d/profiles-s-z/setpci
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/setpci
@{exec_path} = @{sbin}/setpci
profile setpci @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/ss
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ss
@{exec_path} = @{sbin}/ss
profile ss @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/tomb
View file

@ -66,7 +66,7 @@ profile tomb @{exec_path} {
@{bin}/tr rix,
@{bin}/zsh rix,
@{bin}/btrfs rPx,
@{sbin}/btrfs rPx,
@{sbin}/cryptsetup rPUx,
@{bin}/e2fsc rPUx,
@{sbin}/fsck rPx,

2
apparmor.d/profiles-s-z/update-alternatives
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/update-alternatives
@{exec_path} = @{sbin}/update-alternatives
profile update-alternatives @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/wsdd
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/wsdd
@{exec_path} = @{sbin}/wsdd
profile wsdd @{exec_path} {
include <abstractions/base>
include <abstractions/python>