Replace shells with new sh_path variable

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
2024-02-11 15:34:46 +01:00 · 2024-02-11 15:34:46 +01:00 · 40b171ee94
commit 40b171ee94
parent 3b1b187d13
315 changed files with 415 additions and 369 deletions
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@ -20,7 +20,7 @@ profile kconf_update @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,ba,da}sh                      rix,
+  @{sh_path}                             rix,
  @{bin}/{,p}grep                        rix,
  @{bin}/python3.@{int}                  rix,
  @{bin}/qtpaths                         rix,
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -19,7 +19,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)

  @{exec_path} mrix,

-  @{bin}/{,ba,da}sh   rix,
+  @{sh_path}          rix,
  @{bin}/find         rix,
  @{bin}/grep         rix,
  @{bin}/kcminit      rPx,
--- a/apparmor.d/groups/kde/kwin_x11
+++ b/apparmor.d/groups/kde/kwin_x11
@ -23,7 +23,7 @@ profile kwin_x11 @{exec_path} {

  @{exec_path} mrix,

-  @{bin}/{,ba,da}sh          rix,
+  @{sh_path}                 rix,
  @{lib}/kwin_killer_helper  rix,
  @{lib}/drkonqi             rPx,

--- a/apparmor.d/groups/kde/pam_kwallet_init
+++ b/apparmor.d/groups/kde/pam_kwallet_init
@ -12,7 +12,7 @@ profile pam_kwallet_init @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,ba,da}sh  rix,
+  @{sh_path}         rix,
  @{bin}/env         rix,
  @{bin}/socat       rix,

--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@ -28,7 +28,7 @@ profile plasma-discover @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,ba,da}sh                 rix,
+  @{sh_path}                        rix,
  @{bin}/kreadconfig5               rPx,

  @{bin}/gpg                        rCx -> gpg,
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -50,7 +50,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{lib}/sddm/sddm-helper-start-wayland     rix,
  @{lib}/sddm/sddm-helper-start-x11user     rix,

-  @{bin}/{,ba,da}sh    rix,
+  @{sh_path}           rix,
  @{bin}/cat           rix,
  @{bin}/checkproc     rix,
  @{bin}/disable-paste rix,
--- a/apparmor.d/groups/kde/sddm-xsession
+++ b/apparmor.d/groups/kde/sddm-xsession
@ -18,7 +18,7 @@ profile sddm-xsession @{exec_path} {
  @{exec_path} r,

  /{usr/,}{local,}bin/ r,
-  @{bin}/{,ba,da}sh rix,
+  @{sh_path}        rix,
  @{bin}/{,e}grep   rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/cat        rix,
@ -85,5 +85,39 @@ profile sddm-xsession @{exec_path} {
    include if exists <local/sddm-xsession_dbus>
  }

+    profile gpg {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/openssl>
+    include <abstractions/ssl_certs>
+
+    capability dac_read_search,
+
+    network inet stream,
+    network inet6 stream,
+    network inet dgram,
+    network inet6 dgram,
+
+    @{bin}/gpg{,2} mr,
+    @{bin}/gpgconf mr,
+    @{bin}/gpgsm   mr,
+
+    @{bin}/dirmngr           rix,
+    @{bin}/gpg-agent         rPx,
+    @{bin}/gpg-connect-agent rix,
+
+    @{HOME}/@{XDG_GPG_DIR}/*.conf r,
+
+    @{PROC}/@{pid}/fd/ r,
+    @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+          /dev/tty@{int} rw,
+    owner /dev/pts/@{int} rw,
+
+    deny @{user_share_dirs}/sddm/* rw,
+
+    include if exists <local/sddm-xsession_gpg>
+  }
+
  include if exists <local/sddm-xsession>
 }
--- a/apparmor.d/groups/kde/xdm-xsession
+++ b/apparmor.d/groups/kde/xdm-xsession
@ -18,7 +18,7 @@ profile xdm-xsession @{exec_path} {
  @{exec_path} mr,

  @{bin}/checkproc      rix,
-  @{bin}/{,ba,da}sh         rix,
+  @{sh_path}                rix,
  @{bin}/basename           rix,
  @{bin}/cat                rix,
  @{bin}/dirname            rix,