diff --git a/apparmor.d/profiles-g-l/grc b/apparmor.d/profiles-g-l/grc deleted file mode 100644 index ab02bb6ac..000000000 --- a/apparmor.d/profiles-g-l/grc +++ /dev/null @@ -1,69 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{GRC_PATHS_RO} = /etc @{HOME} /srv /tmp /var /usr/{,local/}share /{,usr/}lib/systemd - -@{exec_path} = /{,usr/}bin/grc -profile grc @{exec_path} { - @{exec_path} r, - include - include - - capability dac_read_search, - # No visible effect - deny capability dac_override, - - signal (send) set=(int) peer=ss, - signal (send) set=(int) peer=ping, - signal (send) set=(int) peer=traceroute, - - # python-strict - /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth} r, - /{,usr/}lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r, - /{,usr/}local/lib{,32,64}/python3.[0-9]{,[0-9]}/**.{egg,py,pth} r, - /{,usr/}local/lib{,32,64}/python3.[0-9]{,[0-9]}/{site,dist}-packages/ r, - /{,usr/}bin/python3.[0-9]{,[0-9]} r, - - owner @{HOME}/.grc/** r, - /etc/grc.conf r, - /usr/{,local/}share/grc/{,**} r, - - /{,usr/}bin/grcat rix, - /{,usr/}bin/cat rix, - /{,usr/}bin/tail rix, - /{,usr/}bin/head rix, - /{,usr/}bin/{,g,m}awk rix, - /{,usr/}bin/{,e}grep rix, - /{,usr/}bin/sed rix, - /{,usr/}bin/less rix, - /{,usr/}bin/ls rix, - - /{,usr/}bin/ping rPx, - /{,usr/}bin/df rPx, - /{,usr/}bin/dfc rPx, - /{,usr/}bin/ss rPx, - /{,usr/}bin/ps rPx, - /{,usr/}bin/ip rPx, - /{,usr/}bin/lsblk rPx, - /{,usr/}bin/diff rPx, - /{,usr/}sbin/blkid rPx, - /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} rPx, - - @{GRC_PATHS_RO}/** r, - @{MOUNTS}/** r, - - deny /var/log/{,**/}*.gz r, - - # Extremely sensitive files - audit deny /etc/**.key mrwkl, - audit deny /etc/ssh/ssh_host_*_key mrwkl, - - # Noise - deny /usr/bin/ r, - - include if exists -}