From 6ed873aad375bea4734ec5321049e597aec02c32 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:35:43 +0200 Subject: [PATCH] feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin). --- apparmor.d/abstractions/app/kmod | 6 ------ apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-apt | 4 ++-- apparmor.d/groups/cron/cron-exim4-base | 6 +++--- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/btrfs-find-root | 2 +- apparmor.d/groups/firewall/firewalld | 4 ++-- apparmor.d/groups/grub/grub-bios-setup | 2 +- apparmor.d/groups/grub/update-grub | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/openvpn | 6 +++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 2 +- apparmor.d/groups/network/wg-quick | 2 +- apparmor.d/groups/pacman/mkinitcpio | 5 +---- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 1 - apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 1 - apparmor.d/profiles-a-f/adduser | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 4 ++-- apparmor.d/profiles-a-f/check-bios-nx | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-a-f/deluser | 4 ++-- apparmor.d/profiles-a-f/dhclient-script | 2 +- apparmor.d/profiles-a-f/exim4 | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 2 +- apparmor.d/profiles-g-l/ifup | 2 +- apparmor.d/profiles-g-l/inxi | 4 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/wpa-action | 2 +- tests/sbin.list | 16 ++++++++++++++++ 54 files changed, 75 insertions(+), 70 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 6c889bd60..b6beeb7f6 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -8,12 +8,6 @@ include @{bin}/kmod mr, - @{sbin}/depmod mr, - @{sbin}/insmod mr, - @{sbin}/lsmod mr, - @{sbin}/modinfo mr, - @{sbin}/modprobe mr, - @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 936d15d42..0ee42f5a4 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} { @{pager_path} Cx -> pager, @{bin}/dpkg Px -> child-dpkg, - @{bin}/exim4 Px, # Send results using email + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index c9448c7fb..c67b1dfb5 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -27,7 +27,7 @@ profile debsecan @{exec_path} { @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index dbd02ff6c..ab230a43b 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -40,7 +40,7 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 1322108d4..3756c1d03 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index eba78ac82..e91f9b419 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/ionice rix, @{bin}/nice rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 81e5761d7..0d5d5a081 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cron-apt +@{exec_path} = @{bin}/cron-apt profile cron-apt @{exec_path} { include include @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 2970f8d42..784dfae19 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, @{sbin}/start-stop-daemon rix, @{sbin}/runuser rix, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 156d5e820..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/crontab +@{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 91dd32f51..6eeeaa414 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{sbin}/ippfind rix, + @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root index eef4b6823..cec2bbb61 100644 --- a/apparmor.d/groups/filesystem/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 01f853c26..57a0baa20 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/alts ix, @{bin}/false ix, @{bin}/kmod Cx -> kmod, - @{sbin}/ebtables-legacy ix, - @{sbin}/ebtables-legacy-restore ix, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, @{sbin}/ipset ix, @{sbin}/xtables-legacy-multi ix, @{sbin}/xtables-nft-multi mix, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 9ccd02275..b0d606701 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-bios-setup +@{exec_path} = @{bin}/grub-bios-setup profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index ff17c160a..d4460a3cf 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0ae174b09..b5cceee95 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{sbin}/tcsh rix, + @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index eddcaedf7..0b5bd090e 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/iwctl +@{exec_path} = @{bin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ecd23ce53..6c4c41e6c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index f4fcfa50d..6431ee98a 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,7 +83,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/which rix, @{sbin}/xtables-nft-multi rix, @@ -110,7 +110,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 096fe276c..4e5bba684 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{sbin}/ip rPx, + @{bin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index bb877ec1a..8162dff1e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,7 +35,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/resolvectl rPx, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index e8ece5c88..c89a12a47 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,7 +21,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/mv rix, @{sbin}/nft rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 9eafb72a9..1f1fc66eb 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -42,10 +42,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{sbin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96..6cf3b824c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -97,7 +97,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, @{sbin}/update-grub rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index fe1bc5781..ce41d6ae8 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,6 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 3ca55909d..9fd065db3 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -17,7 +17,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 575481de2..916279378 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 87ffb3f4a..b6111750b 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,7 +38,7 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index d71eb9ec1..1de016aea 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 94fa568a3..4d730602d 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -116,7 +116,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/virtlogd rPx, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index bf7daf85e..fd1d0af03 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -17,7 +17,6 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index d971d22f3..039518b51 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/adduser @{sbin}/group +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf..c4741b09a 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aa0a365fd..aea3cbf01 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -28,7 +28,7 @@ profile atd @{exec_path} { @{sh_path} rix, @{sbin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 965e0dc3a..c44b6eaa5 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index cecb0e22d..bb7dfd3b8 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -31,7 +31,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1f5d6f0a7..3505126ad 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/deluser @{sbin}/delgroup +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include @@ -20,7 +20,7 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/crontab rPx, + @{bin}/crontab rPx, @{bin}/gpasswd rPx, @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index d5505ff86..9a7e77902 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 9aaccaa16..3af283014 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/exim4 +@{exec_path} = @{sbin}/exim4 profile exim4 @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 21d2a1cf8..629208bc6 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -21,7 +21,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/xtables-nft-multi rix, - @{sbin}/iptables rix, + @{bin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 42169dd6d..3c641f8e1 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,7 +19,7 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a2..e80875ca2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{sbin}/ip rCx -> ip, + @{bin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{sbin}/ip mr, + @{bin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 3495bcc80..bcb521c01 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ip +@{exec_path} = @{bin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index 628728846..c6dfa762a 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ipcalc +@{exec_path} = @{bin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 2382ea062..133cf8ae7 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,7 +38,7 @@ profile kernel @{exec_path} { @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/dkms rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index b4f3ac2f4..aeb125ef2 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -18,7 +18,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{sbin}/blkid Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 85437017b..485520ca0 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -20,7 +20,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 8b8968464..cd2ddc0e6 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/modprobed-db +@{exec_path} = @{bin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index b45dd3986..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/setpci +@{exec_path} = @{bin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 8b66b652f..6ff0fe7e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{sbin}/ip rix, + @{bin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..68ddb97a5 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index d0fc54b7c..e23d4db43 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 6f4c120a0..023644eb0 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index b2cfe0091..b6764ba0e 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -24,7 +24,7 @@ profile wpa-action @{exec_path} { @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/tests/sbin.list b/tests/sbin.list index d2b5c44bc..15373846c 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -37,6 +37,7 @@ apparmor_status applygnupgdefaults aptd argdist-bpfcc +arp arpd aspell-autobuildhash audisp-af_unix @@ -64,6 +65,7 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode +biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -102,6 +104,7 @@ cgdisk chat chcpu check_mail_queue +check-bios-nx checkproc chgpasswd chkstat-polkit @@ -161,6 +164,7 @@ dmevent_tool dmeventd dmfilemapd dmidecode +dmidecode dmraid dmsetup dnsmasq @@ -236,6 +240,7 @@ flushb fonts-config fsadm fsck +fsck. fsck.btrfs fsck.cramfs fsck.exfat @@ -302,6 +307,7 @@ hdparm hwclock hwinfo iconvconfig +ifconfig ifrename ifstat import-openSUSE-build-key @@ -334,6 +340,7 @@ isosize ispell-autobuildhash isserial issue-generator +iucode_tool iw iwconfig iwevent @@ -362,6 +369,7 @@ killsnoop.bt klockstat-bpfcc klogd kpartx +kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -386,6 +394,7 @@ lpmove luksformat lvm lvm_import_vdo +lvmconfig lvmdump lvmpolld lwepgen @@ -405,6 +414,7 @@ mkdict mkdosfs mke2fs mkfs +mkfs. mkfs.bfs mkfs.btrfs mkfs.cramfs @@ -480,6 +490,7 @@ opensnoop.bt openvpn overlayroot-chroot ownership +ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -547,6 +558,7 @@ rcxdm rcxvnc rdma rdmaucma-bpfcc +rdmsr readahead-bpfcc readprofile realm @@ -558,11 +570,13 @@ request-key reset-trace-bpfcc resize2fs resizepart +resolvconf rfkill rmt-tar rndc rndc-confgen rngd +route routel rpc.gssd rpc.idmapd @@ -778,6 +792,7 @@ visudo vmcore-dmesg vncsession vpddecode +vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc @@ -789,6 +804,7 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt +wrmsr xfs_admin xfs_bmap xfs_copy