felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add profile for ischroot.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-18 23:37:37 +02:00
parent 49155625a5
commit 6e0c646d14
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
13 changed files with 35 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apt/apt
View file

@ -67,7 +67,6 @@ profile apt @{exec_path} flags=(attach_disconnected) {
@{bin}/echo rix, @{bin}/echo rix,
@{bin}/gdbus rix, @{bin}/gdbus rix,
@{bin}/id rix, @{bin}/id rix,
@{bin}/ischroot rix,
@{bin}/test rix, @{bin}/test rix,
@{bin}/touch rix, @{bin}/touch rix,
@ -80,14 +79,15 @@ profile apt @{exec_path} flags=(attach_disconnected) {
@{bin}/df rPx, @{bin}/df rPx,
@{bin}/dmesg rPx, @{bin}/dmesg rPx,
@{bin}/dpkg rPx, @{bin}/dpkg rPx,
@{sbin}/dpkg-preconfigure rPx,
@{bin}/dpkg-source rcx -> dpkg-source, @{bin}/dpkg-source rcx -> dpkg-source,
@{bin}/etckeeper rPx, @{bin}/etckeeper rPx,
@{bin}/ischroot rPx,
@{bin}/localepurge rPx, @{bin}/localepurge rPx,
@{bin}/ps rPx, @{bin}/ps rPx,
@{bin}/snap rPx, @{bin}/snap rPx,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/update-command-not-found rPx, @{bin}/update-command-not-found rPx,
@{sbin}/dpkg-preconfigure rPx,
@{lib}/cnf-update-db rPx, @{lib}/cnf-update-db rPx,
@{lib}/needrestart/apt-pinvoke rPx, @{lib}/needrestart/apt-pinvoke rPx,
@{lib}/zsys-system-autosnapshot rPx, @{lib}/zsys-system-autosnapshot rPx,

2
apparmor.d/groups/ubuntu/apport-gtk
View file

@ -41,7 +41,7 @@ profile apport-gtk @{exec_path} {
@{bin}/dpkg-query rpx, @{bin}/dpkg-query rpx,
@{bin}/gdb rCx -> gdb, @{bin}/gdb rCx -> gdb,
@{bin}/gsettings rPx, @{bin}/gsettings rPx,
@{bin}/ischroot rix, @{bin}/ischroot rPx,
@{bin}/journalctl rPx, @{bin}/journalctl rPx,
@{sbin}/killall5 rix, @{sbin}/killall5 rix,
@{bin}/kmod rPx, @{bin}/kmod rPx,

2
apparmor.d/groups/ubuntu/check-new-release-gtk
View file

@ -29,7 +29,7 @@ profile check-new-release-gtk @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/dpkg rPx, @{bin}/dpkg rPx,
@{bin}/ischroot rix, @{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,

2
apparmor.d/groups/ubuntu/do-release-upgrade
View file

@ -26,7 +26,7 @@ profile do-release-upgrade @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/ischroot rix, @{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
/usr/share/distro-info/*.csv r, /usr/share/distro-info/*.csv r,

2
apparmor.d/groups/ubuntu/list-oem-metapackages
View file

@ -15,7 +15,7 @@ profile list-oem-metapackages @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/ischroot rix, @{bin}/ischroot rPx,
@{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw,

2
apparmor.d/groups/ubuntu/software-properties-gtk
View file

@ -32,7 +32,7 @@ profile software-properties-gtk @{exec_path} {
@{bin}/aplay rPx, @{bin}/aplay rPx,
@{bin}/apt-key rPx, @{bin}/apt-key rPx,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/ischroot rix, @{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/ubuntu-advantage rPx, @{bin}/ubuntu-advantage rPx,

3
apparmor.d/groups/ubuntu/ubuntu-advantage
View file

@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/ischroot rix,
@{bin}/apt rPx, @{bin}/apt rPx,
@{bin}/apt-cache rPx, @{bin}/apt-cache rPx,
@{bin}/apt-config rPx, @{bin}/apt-config rPx,
@{bin}/apt-get rPx, @{bin}/apt-get rPx,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/ischroot rPx,
@{bin}/ps rPx, @{bin}/ps rPx,
@{bin}/snap rPUx, @{bin}/snap rPUx,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,

2
apparmor.d/groups/ubuntu/update-manager
View file

@ -44,7 +44,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix, @{sh_path} rix,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/hwe-support-status rPx, @{bin}/hwe-support-status rPx,
@{bin}/ischroot rix, @{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/snap rPUx, @{bin}/snap rPUx,
@{bin}/software-properties-gtk rPx, @{bin}/software-properties-gtk rPx,

2
apparmor.d/groups/ubuntu/update-motd-updates-available
View file

@ -26,7 +26,7 @@ profile update-motd-updates-available @{exec_path} {
@{bin}/dirname rix, @{bin}/dirname rix,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/find rix, @{bin}/find rix,
@{bin}/ischroot rix, @{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/mktemp rix, @{bin}/mktemp rix,
@{bin}/mv rix, @{bin}/mv rix,

2
apparmor.d/groups/ubuntu/update-notifier
View file

@ -31,10 +31,10 @@ profile update-notifier @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/ionice rix, @{bin}/ionice rix,
@{bin}/ischroot rix,
@{bin}/nice rix, @{bin}/nice rix,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/ischroot rPx,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx -> lsb_release,
@{bin}/pkexec rCx -> pkexec, @{bin}/pkexec rCx -> pkexec,
@{bin}/snap rPUx, @{bin}/snap rPUx,

21
apparmor.d/profiles-g-l/ischroot Normal file
View file

@ -0,0 +1,21 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/ischroot
profile ischroot @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@{exec_path} mr,
@{PROC}/@{pid}/mountinfo r,
include if exists <local/ischroot>
}
# vim:syntax=apparmor

4
apparmor.d/profiles-m-r/packagekitd
View file

@ -51,7 +51,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
@{bin}/echo rix, @{bin}/echo rix,
@{bin}/gdbus rix, @{bin}/gdbus rix,
@{bin}/gzip rix, @{bin}/gzip rix,
@{bin}/ischroot rix,
@{sbin}/ldconfig rix, @{sbin}/ldconfig rix,
@{bin}/repo2solv rix, @{bin}/repo2solv rix,
@{bin}/tar rix, @{bin}/tar rix,
@ -63,7 +62,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
@{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/dpkg rPx -> child-dpkg, #aa:only apt
@{bin}/fc-cache rPx, @{bin}/fc-cache rPx,
@{bin}/glib-compile-schemas rPx, @{bin}/glib-compile-schemas rPx,
@{sbin}/install-info rPx, @{bin}/install-info rPx,
@{bin}/ischroot rPx,
@{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpm rPUx, #aa:only opensuse
@{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse
@{bin}/systemd-inhibit rPx, @{bin}/systemd-inhibit rPx,

2
apparmor.d/profiles-s-z/update-initramfs
View file

@ -22,7 +22,6 @@ profile update-initramfs @{exec_path} {
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/{m,g,}awk rix, @{bin}/{m,g,}awk rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/ischroot rix,
@{bin}/ln rix, @{bin}/ln rix,
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/rm rix, @{bin}/rm rix,
@ -31,6 +30,7 @@ profile update-initramfs @{exec_path} {
@{bin}/uname rix, @{bin}/uname rix,
@{bin}/dpkg-trigger rPx, @{bin}/dpkg-trigger rPx,
@{bin}/ischroot rPx,
@{bin}/linux-version rPx, @{bin}/linux-version rPx,
@{sbin}/mkinitramfs rPx, @{sbin}/mkinitramfs rPx,