felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add lsb-release

Browse source 
Use it instead of lsb_release.
This commit is contained in:
Alexandre Pujol 2025-06-21 20:35:38 +02:00
parent 0572688c59
commit 4d201ea417
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
36 changed files with 77 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/abstractions/app/chromium
View file

@ -37,7 +37,7 @@
include <abstractions/desktop>
include <abstractions/devices-usb>
include <abstractions/fontconfig-cache-read>
include <abstractions/graphics-full>
include <abstractions/graphics>
include <abstractions/nameservice-strict>
include <abstractions/ssl_certs>
include <abstractions/thumbnails-cache-read>
@ -78,7 +78,7 @@
@{lib_dirs}/chrome-sandbox rPx,
# Desktop integration
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/xdg-desktop-menu rPx,
@{bin}/xdg-email rPx,
@{bin}/xdg-icon-resource rPx,
@ -202,6 +202,7 @@
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_{,score_}adj rw,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/smaps_rollup r,
owner @{PROC}/@{pid}/task/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{PROC}/@{pid}/task/@{tid}/stat r,

2
apparmor.d/abstractions/app/firefox
View file

@ -65,7 +65,7 @@
@{lib_dirs}/plugin-container rPx,
# Desktop integration
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
/usr/share/@{name}/{,**} r,
/usr/share/doc/{,**} r,

2
apparmor.d/groups/apt/apt-listbugs
View file

@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/groups/apt/command-not-found
View file

@ -22,7 +22,7 @@ profile command-not-found @{exec_path} {
@{exec_path} r,
@{python_path} r,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/snap rPx,
@{lib}/ r,

2
apparmor.d/groups/apt/debconf-frontend
View file

@ -21,7 +21,7 @@ profile debconf-frontend @{exec_path} flags=(complain) {
@{exec_path} r,
@{bin}/hostname ix,
@{bin}/lsb_release Px -> lsb_release,
@{bin}/lsb_release Px,
@{bin}/stty ix,
@{sbin}/update-secureboot-policy Px,

2
apparmor.d/groups/apt/reportbug
View file

@ -47,7 +47,7 @@ profile reportbug @{exec_path} {
@{bin}/dlocate rPx,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/dpkg-query rpx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{pager_path} rPx -> child-pager,
@{bin}/systemctl rCx -> systemctl,
@{lib}/firefox/firefox rPUx, # App allowed to open

2
apparmor.d/groups/apt/synaptic
View file

@ -47,7 +47,7 @@ profile synaptic @{exec_path} {
@{bin}/dpkg rPx,
@{sbin}/dpkg-preconfigure rPx,
@{bin}/localepurge rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/pkexec rCx -> pkexec,
@{bin}/ps rPx,
@{bin}/software-properties-gtk rPx,

2
apparmor.d/groups/apt/unattended-upgrade
View file

@ -58,7 +58,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
@{bin}/dpkg-divert Px,
@{bin}/etckeeper Px,
@{bin}/ischroot Px,
@{bin}/lsb_release Px -> lsb_release,
@{bin}/lsb_release Px,
@{sbin}/dpkg-preconfigure Px,
@{sbin}/on_ac_power Px,
@{sbin}/sendmail Px,

2
apparmor.d/groups/grub/grub-install
View file

@ -21,7 +21,7 @@ profile grub-install @{exec_path} flags=(complain) {
@{sh_path} rix,
@{sbin}/efibootmgr rix,
@{bin}/kmod rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/udevadm rPx,
/usr/share/grub/{,**} r,

2
apparmor.d/groups/grub/grub-mkconfig
View file

@ -39,7 +39,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
@{bin}/head rix,
@{bin}/id rPx,
@{bin}/ls rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/mktemp rix,
@{bin}/mount rPx,
@{bin}/mountpoint rix,

2
apparmor.d/groups/grub/grub-probe
View file

@ -19,7 +19,7 @@ profile grub-probe @{exec_path} {
@{exec_path} mr,
/{usr/,}{local/,}{s,}bin/zpool rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{sbin}/lvm rPx,
@{bin}/udevadm rPx,

2
apparmor.d/groups/kde/dolphin
View file

@ -33,7 +33,7 @@ profile dolphin @{exec_path} {
@{lib}/libheif/*.so* mr,
@{bin}/ldd rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{lib}/{,@{multiarch}/}utempter/utempter rPx,
@{thunderbird_path} rPx,

2
apparmor.d/groups/kde/drkonqi
View file

@ -24,7 +24,7 @@ profile drkonqi @{exec_path} {
@{exec_path} mr,
@{bin}/plasmashell r,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
/usr/share/drkonqi/{,**} r,

2
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -46,7 +46,7 @@ profile apport-gtk @{exec_path} {
@{sbin}/killall5 rix,
@{bin}/kmod rPx,
@{bin}/ldd rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/md5sum rix,
@{bin}/pkexec rCx -> pkexec,
@{bin}/systemctl rCx -> systemctl,

2
apparmor.d/groups/ubuntu/check-new-release-gtk
View file

@ -30,7 +30,7 @@ profile check-new-release-gtk @{exec_path} {
@{bin}/dpkg rPx,
@{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
@{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,

2
apparmor.d/groups/ubuntu/do-release-upgrade
View file

@ -27,7 +27,7 @@ profile do-release-upgrade @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
/usr/share/distro-info/*.csv r,
/usr/share/ubuntu-release-upgrader/{,**} r,

2
apparmor.d/groups/ubuntu/hwe-support-status
View file

@ -15,7 +15,7 @@ profile hwe-support-status @{exec_path} {
@{exec_path} mr,
@{bin}/dpkg rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
/usr/share/distro-info/{,**} r,

2
apparmor.d/groups/ubuntu/software-properties-dbus
View file

@ -30,7 +30,7 @@ profile software-properties-dbus @{exec_path} {
@{python_path} rix,
@{bin}/env rix,
@{bin}/apt-key rPx, # Changing trusted keys
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
/etc/apt/apt.conf.d/10periodic w,
/etc/apt/sources.list{,.save} rw,

2
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -33,7 +33,7 @@ profile software-properties-gtk @{exec_path} {
@{bin}/apt-key rPx,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/ubuntu-advantage rPx,
/usr/share/distro-info/*.csv r,

2
apparmor.d/groups/ubuntu/update-manager
View file

@ -45,7 +45,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/hwe-support-status rPx,
@{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/snap rPUx,
@{bin}/software-properties-gtk rPx,
@{bin}/uname rix,

2
apparmor.d/groups/ubuntu/update-motd-updates-available
View file

@ -27,7 +27,7 @@ profile update-motd-updates-available @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/find rix,
@{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/mktemp rix,
@{bin}/mv rix,
@{bin}/rm rix,

2
apparmor.d/groups/ubuntu/update-notifier
View file

@ -35,7 +35,7 @@ profile update-notifier @{exec_path} {
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/pkexec rCx -> pkexec,
@{bin}/snap rPUx,
@{bin}/software-properties-gtk rPx,

2
apparmor.d/profiles-a-f/adequate
View file

@ -90,7 +90,7 @@ profile adequate @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/profiles-a-f/aspell-autobuildhash
View file

@ -62,7 +62,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/profiles-a-f/check-support-status-hook
View file

@ -84,7 +84,7 @@ profile check-support-status-hook @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/profiles-a-f/discord
View file

@ -31,7 +31,7 @@ profile discord @{exec_path} {
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{lib_dirs}/chrome-sandbox rix,
@{lib_dirs}/chrome_crashpad_handler rix,

2
apparmor.d/profiles-a-f/dropbox
View file

@ -39,7 +39,7 @@ profile dropbox @{exec_path} {
@{bin}/{,@{multiarch}-}objdump rix,
@{open_path} rPx -> child-open-strict,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
owner @{HOME}/ r,
owner @{config_dirs}/ rw,

2
apparmor.d/profiles-a-f/filezilla
View file

@ -38,7 +38,7 @@ profile filezilla @{exec_path} {
@{bin}/fzsftp rPx, # When using SFTP protocol
@{bin}/fzputtygen rPUx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
/usr/share/filezilla/{,**} r,

2
apparmor.d/profiles-g-l/hardinfo
View file

@ -46,7 +46,7 @@ profile hardinfo @{exec_path} {
@{bin}/valgrind{,.bin} rix,
@{lib}/@{multiarch}/valgrind/memcheck-*-linux rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{open_path} rPx -> child-open,
@{bin}/ccache rCx -> ccache,
@{bin}/kmod rCx -> kmod,

2
apparmor.d/profiles-g-l/hw-probe
View file

@ -62,7 +62,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
@{bin}/journalctl rCx -> journalctl,
@{bin}/killall rCx -> killall,
@{bin}/kmod rCx -> kmod,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{bin}/lsblk rPx,
@{bin}/lscpu rPx,
@{bin}/lspci rPx,

2
apparmor.d/profiles-g-l/kodi
View file

@ -34,7 +34,7 @@ profile kodi @{exec_path} {
@{bin}/mv rix,
@{bin}/uname rix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
/usr/share/kodi/{,**} r,
/usr/share/publicsuffix/* r,

40
apparmor.d/profiles-g-l/lsb-release Normal file
View file

@ -0,0 +1,40 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that
# does attach @{bin}/lsb_release.
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/lsb_release
profile lsb-release @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
@{sh_path} rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/find rix,
@{bin}/getopt rix,
@{bin}/head rix,
@{bin}/sed rix,
@{bin}/tr rix,
#aa:only apt
@{bin}/dpkg-query px,
/etc/ r,
/etc/*-release r,
/etc/lsb-release r,
/etc/lsb-release.d/{,*} r,
include if exists <local/lsb-release>
}
# vim:syntax=apparmor

2
apparmor.d/profiles-m-r/mumble
View file

@ -30,7 +30,7 @@ profile mumble @{exec_path} {
@{exec_path} mrix,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{browsers_path} rPx,
@{open_path} rPx -> child-open,

2
apparmor.d/profiles-m-r/murmurd
View file

@ -29,7 +29,7 @@ profile murmurd @{exec_path} {
@{exec_path} mr,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
/etc/mumble-server.ini r,

2
apparmor.d/profiles-m-r/psi
View file

@ -34,7 +34,7 @@ profile psi @{exec_path} {
@{bin}/aplay rCx -> aplay,
@{bin}/gpg{,2} rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{open_path} rPx -> child-open,
@{lib}/firefox/firefox rPUx,

2
apparmor.d/profiles-m-r/psi-plus
View file

@ -34,7 +34,7 @@ profile psi-plus @{exec_path} {
@{bin}/aplay rCx -> aplay,
@{bin}/gpg{,2} rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/lsb_release rPx,
@{open_path} rPx -> child-open,
@{lib}/firefox/firefox rPUx,