feat(profile): simplify needrestart & fix pam-auth-update.

2025-05-25 18:24:34 +02:00 · 2025-05-25 18:24:34 +02:00 · 3afd89c59e
commit 3afd89c59e
parent 14f6e269ea
2 changed files with 2 additions and 19 deletions
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@ -9,11 +9,8 @@ include <tunables/global>
@{exec_path} = @{sbin}/needrestart
 profile needrestart @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-  include <abstractions/perl>
+  include <abstractions/common/debconf>
  include <abstractions/python>
-  include <abstractions/wutmp>

  capability checkpoint_restore,
  capability dac_read_search,
@ -27,18 +24,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
  @{sh_path}                               rix,
  @{bin}/dpkg-query                        rpx,
  @{bin}/fail2ban-server                   rPx,
-  @{bin}/sed                               rix,
-  @{bin}/stty                              rix,
  @{bin}/systemctl                         rCx -> systemctl,
  @{bin}/systemd-detect-virt               rPx,
  @{bin}/udevadm                           rCx -> udevadm,
-  @{bin}/who                               rix,
  @{lib}/needrestart/*                     rPx,
  @{python_path}                           rix,
  @{sbin}/unix_chkpwd                      rPx,

-  /usr/share/debconf/frontend              rCx -> debconf,
-
  /etc/needrestart/hook.d/*                rPx,
  /etc/needrestart/notify.d/*              rPx,
  /etc/needrestart/restart.d/*             rPx,
@ -96,15 +88,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
    include if exists <local/needrestart_udevadm>
  }

-  profile debconf {
-    include <abstractions/base>
-    include <abstractions/common/debconf>
-
-    @{sbin}/needrestart Px,
-
-    include if exists <local/needrestart_debconf>
-  }
-
  include if exists <local/needrestart>
 }

--- a/apparmor.d/profiles-m-r/pam-auth-update
+++ b/apparmor.d/profiles-m-r/pam-auth-update
@ -12,7 +12,7 @@ profile pam-auth-update @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/common/debconf>

-  @{exec_path} mr,
+  @{exec_path} mrix,

  @{bin}/md5sum  ix,
  @{bin}/cp      ix,