feat(profile): initial integration with attached path.

The feature is not yet enabled. See https://apparmor.pujol.io/development/internal/#re-attached-path
2024-10-11 14:13:17 +01:00 · 2024-10-11 14:13:17 +01:00 · 61a27bc336
commit 61a27bc336
parent 5bf8c6ef0f
85 changed files with 164 additions and 139 deletions
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -34,7 +34,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c5:@{int} r,           # for /dev/tty, /dev/console, /dev/ptmx
  @{run}/udev/data/n@{int} r,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{sys}/bus/ r,
  @{sys}/bus/usb/devices/ r,
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -95,7 +95,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
  /usr/share/iproute2/{,**} r,

-  / r,
+  @{att}/ r,
+
  /etc/ r,
  /etc/iproute2/* r,
  /etc/machine-id r,
@ -115,11 +116,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  @{sys}/class/net/rfkill/ r,
  @{sys}/class/rfkill/ r,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/network/ifstate r,
  @{run}/NetworkManager/{,**} rw,
  @{run}/nm-*.pid rw,
  @{run}/nscd/db* rwl,
-  @{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/systemd/users/@{uid} r,
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/+platform:* r,
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {

  owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  /dev/tty rw,