From 55e4b27c2b4b43488edb7b155fd3e5efd0733a18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:02:20 +0200 Subject: [PATCH] feat(tunable): add the archive_path variable. --- apparmor.d/profiles-a-f/atool | 8 ++++---- apparmor.d/profiles-a-f/file-roller | 14 +------------- apparmor.d/profiles-s-z/unmkinitramfs | 6 +----- apparmor.d/profiles-s-z/xarchiver | 13 +------------ apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 6 files changed, 13 insertions(+), 34 deletions(-) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 99cb0fed6..2782aacc0 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/bzip rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,16 +30,15 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, - @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -48,6 +47,7 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 24610cd8c..e7bfafaac 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -26,19 +26,7 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{bin}/7z rix, - @{bin}/7zz rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, # Full access to user's data @{MOUNTS}/** rw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 6b5607ed1..3ee530970 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,22 +18,18 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, /boot/ r, owner /boot/initrd.img-* r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..f38a69224 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,18 +28,7 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 059f337fd..cca544370 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -72,4 +72,7 @@ # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index cddb1a7d2..a7cbaf831 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -96,4 +96,7 @@ # Backup @{backup_names} = deja-dup borg +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd + # vim:syntax=apparmor