felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin).

Browse source
This commit is contained in:
Alexandre Pujol 2025-06-05 00:35:43 +02:00
parent c8f2a435f8
commit 6ed873aad3
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
54 changed files with 75 additions and 70 deletions
Download patch file Download diff file Expand all files Collapse all files

6
apparmor.d/abstractions/app/kmod
View file

@ -8,12 +8,6 @@
include <abstractions/consoles> include <abstractions/consoles>
@{bin}/kmod mr, @{bin}/kmod mr,
@{sbin}/depmod mr,
@{sbin}/insmod mr,
@{sbin}/lsmod mr,
@{sbin}/modinfo mr,
@{sbin}/modprobe mr,
@{sbin}/rmmod mr,
@{lib}/modprobe.d/ r, @{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r, @{lib}/modprobe.d/*.conf r,

2
apparmor.d/groups/apt/apt-listchanges
View file

@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} {
@{pager_path} Cx -> pager, @{pager_path} Cx -> pager,
@{bin}/dpkg Px -> child-dpkg, @{bin}/dpkg Px -> child-dpkg,
@{bin}/exim4 Px, # Send results using email @{sbin}/exim4 Px, # Send results using email
/usr/share/apt-listchanges/{,**} r, /usr/share/apt-listchanges/{,**} r,

2
apparmor.d/groups/apt/debsecan
View file

@ -27,7 +27,7 @@ profile debsecan @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
# Send results using email # Send results using email
@{bin}/exim4 rPx, @{sbin}/exim4 rPx,
/etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf.d/{,*} r,
/etc/apt/apt.conf r, /etc/apt/apt.conf r,

2
apparmor.d/groups/apt/reportbug
View file

@ -40,7 +40,7 @@ profile reportbug @{exec_path} {
@{bin}/stty rix, @{bin}/stty rix,
/usr/share/reportbug/handle_bugscript rix, /usr/share/reportbug/handle_bugscript rix,
@{bin}/exim4 rPx, @{sbin}/exim4 rPx,
@{bin}/apt-cache rPx, @{bin}/apt-cache rPx,
@{bin}/debconf-show rPx, @{bin}/debconf-show rPx,
@{bin}/debsums rPx, @{bin}/debsums rPx,

2
apparmor.d/groups/cron/anacron
View file

@ -17,7 +17,7 @@ profile anacron @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,
@{bin}/exim4 rPx, @{sbin}/exim4 rPx,
/ r, / r,
/etc/anacrontab r, /etc/anacrontab r,

2
apparmor.d/groups/cron/cron
View file

@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/exim4 rPx, @{sbin}/exim4 rPx,
@{bin}/ionice rix, @{bin}/ionice rix,
@{bin}/nice rix, @{bin}/nice rix,
@{bin}/run-parts rCx -> run-parts, @{bin}/run-parts rCx -> run-parts,

4
apparmor.d/groups/cron/cron-apt
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/cron-apt @{exec_path} = @{bin}/cron-apt
profile cron-apt @{exec_path} { profile cron-apt @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -46,7 +46,7 @@ profile cron-apt @{exec_path} {
@{bin}/apt-get rPx, @{bin}/apt-get rPx,
@{bin}/apt-file rPx, @{bin}/apt-file rPx,
@{bin}/aptitude{,-curses} rPx, @{bin}/aptitude{,-curses} rPx,
@{bin}/exim4 rPx, @{sbin}/exim4 rPx,
/usr/share/cron-apt/{,*} r, /usr/share/cron-apt/{,*} r,

6
apparmor.d/groups/cron/cron-exim4-base
View file

@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} {
@{bin}/hostname rix, @{bin}/hostname rix,
@{bin}/xargs rix, @{bin}/xargs rix,
@{bin}/find rix, @{bin}/find rix,
@{bin}/eximstats rix, @{sbin}/eximstats rix,
@{bin}/exim4 rPx, @{sbin}/exim4 rPx,
@{bin}/exim_tidydb rix, @{sbin}/exim_tidydb rix,
@{sbin}/start-stop-daemon rix, @{sbin}/start-stop-daemon rix,
@{sbin}/runuser rix, @{sbin}/runuser rix,

2
apparmor.d/groups/cron/crontab
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/crontab @{exec_path} = @{bin}/crontab
profile crontab @{exec_path} { profile crontab @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/authentication> include <abstractions/authentication>

2
apparmor.d/groups/cups/cupsd
View file

@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
@{bin}/gs rix, @{bin}/gs rix,
@{bin}/gsc rix, @{bin}/gsc rix,
@{bin}/hostname rix, @{bin}/hostname rix,
@{sbin}/ippfind rix, @{bin}/ippfind rix,
@{bin}/mktemp rix, @{bin}/mktemp rix,
@{bin}/printenv rix, @{bin}/printenv rix,
@{python_path} rix, @{python_path} rix,

2
apparmor.d/groups/filesystem/btrfs-find-root
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/btrfs-find-root @{exec_path} = @{sbin}/btrfs-find-root
profile btrfs-find-root @{exec_path} { profile btrfs-find-root @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-read> include <abstractions/disks-read>

4
apparmor.d/groups/firewall/firewalld
View file

@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
@{bin}/alts ix, @{bin}/alts ix,
@{bin}/false ix, @{bin}/false ix,
@{bin}/kmod Cx -> kmod, @{bin}/kmod Cx -> kmod,
@{sbin}/ebtables-legacy ix, @{bin}/ebtables-legacy ix,
@{sbin}/ebtables-legacy-restore ix, @{bin}/ebtables-legacy-restore ix,
@{sbin}/ipset ix, @{sbin}/ipset ix,
@{sbin}/xtables-legacy-multi ix, @{sbin}/xtables-legacy-multi ix,
@{sbin}/xtables-nft-multi mix, @{sbin}/xtables-nft-multi mix,

2
apparmor.d/groups/grub/grub-bios-setup
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/grub-bios-setup @{exec_path} = @{bin}/grub-bios-setup
profile grub-bios-setup @{exec_path} { profile grub-bios-setup @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/groups/grub/update-grub
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/update-grub{2,} @{exec_path} = @{sbin}/update-grub
profile update-grub @{exec_path} { profile update-grub @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/groups/kde/sddm-xsession
View file

@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} {
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/stat rix, @{bin}/stat rix,
@{bin}/tail rix, @{bin}/tail rix,
@{sbin}/tcsh rix, @{bin}/tcsh rix,
@{bin}/tempfile rix, @{bin}/tempfile rix,
@{bin}/touch rix, @{bin}/touch rix,
@{bin}/which{,.*} rix, @{bin}/which{,.*} rix,

2
apparmor.d/groups/network/iwctl
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/iwctl @{exec_path} = @{bin}/iwctl
profile iwctl @{exec_path} { profile iwctl @{exec_path} {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/groups/network/mullvad-daemon
View file

@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sbin}/ip rix, @{bin}/ip rix,
"/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/openvpn" rix,
"/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*.so*" mr,

6
apparmor.d/groups/network/openvpn
View file

@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
@{run}/openvpn/*.{pid,status} rw, @{run}/openvpn/*.{pid,status} rw,
@{run}/systemd/journal/dev-log r, @{run}/systemd/journal/dev-log r,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/systemd-ask-password rPx, @{bin}/systemd-ask-password rPx,
@{lib}/nm-openvpn-service-openvpn-helper rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx,
/etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn,
@ -83,7 +83,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix, @{sh_path} rix,
@{bin}/cut rix, @{bin}/cut rix,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/which rix, @{bin}/which rix,
@{sbin}/xtables-nft-multi rix, @{sbin}/xtables-nft-multi rix,
@ -110,7 +110,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
@{bin}/{,e}grep rix, @{bin}/{,e}grep rix,
@{bin}/cut rix, @{bin}/cut rix,
@{bin}/env rix, @{bin}/env rix,
@{sbin}/ip rix, @{bin}/ip rix,
@{sbin}/nft rix, @{sbin}/nft rix,
@{bin}/sed rix, @{bin}/sed rix,

2
apparmor.d/groups/network/tailscale
View file

@ -23,7 +23,7 @@ profile tailscale @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sbin}/ip rPx, @{bin}/ip rPx,
owner @{run}/tailscale/tailscaled.sock rw, owner @{run}/tailscale/tailscaled.sock rw,

2
apparmor.d/groups/network/tailscaled
View file

@ -35,7 +35,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/resolvectl rPx, @{bin}/resolvectl rPx,
@{sbin}/xtables-nft-multi rix, @{sbin}/xtables-nft-multi rix,

2
apparmor.d/groups/network/wg-quick
View file

@ -21,7 +21,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix, @{sh_path} rix,
@{bin}/cat rix, @{bin}/cat rix,
@{sbin}/ip rPx, @{bin}/ip rPx,
@{bin}/mv rix, @{bin}/mv rix,
@{sbin}/nft rix, @{sbin}/nft rix,
@{bin}/readlink rix, @{bin}/readlink rix,

5
apparmor.d/groups/pacman/mkinitcpio
View file

@ -42,10 +42,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
@{bin}/zcat rix, @{bin}/zcat rix,
@{bin}/zstd rix, @{bin}/zstd rix,
@{bin}/{depmod,insmod} rPx, @{bin}/kmod rPx,
@{bin}/{kmod,lsmod} rPx,
@{bin}/{modinfo,rmmod} rPx,
@{sbin}/modprobe rPx,
@{bin}/plymouth rPx, @{bin}/plymouth rPx,
@{sbin}/plymouth-set-default-theme rPx, @{sbin}/plymouth-set-default-theme rPx,
@{bin}/sbctl rPx, @{bin}/sbctl rPx,

2
apparmor.d/groups/pacman/pacman
View file

@ -97,7 +97,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
@{bin}/update-ca-trust rPx, @{bin}/update-ca-trust rPx,
@{bin}/update-desktop-database rPx, @{bin}/update-desktop-database rPx,
@{sbin}/update-grub rPx, @{sbin}/update-grub rPx,
@{sbin}/update-mime-database rPx, @{bin}/update-mime-database rPx,
@{bin}/vercmp rix, @{bin}/vercmp rix,
@{bin}/which rix, @{bin}/which rix,
@{bin}/xmlcatalog rix, @{bin}/xmlcatalog rix,

1
apparmor.d/groups/pacman/pacman-hook-depmod
View file

@ -16,7 +16,6 @@ profile pacman-hook-depmod @{exec_path} {
@{bin}/basename rix, @{bin}/basename rix,
@{bin}/bash rix, @{bin}/bash rix,
@{sbin}/depmod rPx,
@{bin}/kmod rPx, @{bin}/kmod rPx,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/rmdir rix, @{bin}/rmdir rix,

2
apparmor.d/groups/ubuntu/cron-ubuntu-fan
View file

@ -17,7 +17,7 @@ profile cron-ubuntu-fan @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{sbin}/fanctl rPx, @{sbin}/fanctl rPx,
@{bin}/grep rix, @{bin}/grep rix,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/mkdir rix, @{bin}/mkdir rix,
@{bin}/sed rix, @{bin}/sed rix,

2
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/grep rix, @{bin}/grep rix,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/mkdir rix, @{bin}/mkdir rix,
@{bin}/mv rix, @{bin}/mv rix,
@{bin}/sleep rix, @{bin}/sleep rix,

2
apparmor.d/groups/virt/cockpit-bridge
View file

@ -38,7 +38,7 @@ profile cockpit-bridge @{exec_path} {
@{bin}/cat ix, @{bin}/cat ix,
@{bin}/date ix, @{bin}/date ix,
@{bin}/find ix, @{bin}/find ix,
@{sbin}/ip ix, @{bin}/ip ix,
@{python_path} ix, @{python_path} ix,
@{bin}/test ix, @{bin}/test ix,
@{bin}/file ix, @{bin}/file ix,

2
apparmor.d/groups/virt/cockpit-update-motd
View file

@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{bin}/hostname rix, @{bin}/hostname rix,
@{sbin}/ip rPx, @{bin}/ip rPx,
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,

2
apparmor.d/groups/virt/libvirtd
View file

@ -116,7 +116,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{sbin}/virtlogd rPx, @{sbin}/virtlogd rPx,
@{sh_path} rix, @{sh_path} rix,
@{sbin}/ip rix, @{bin}/ip rix,
@{sbin}/nft rix, @{sbin}/nft rix,
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper

1
apparmor.d/profiles-a-f/acpi-powerbtn
View file

@ -17,7 +17,6 @@ profile acpi-powerbtn flags=(attach_disconnected) {
@{bin}/pgrep rix, @{bin}/pgrep rix,
@{bin}/pinky rix, @{bin}/pinky rix,
@{bin}/sed rix, @{bin}/sed rix,
@{sbin}/shutdown rix,
/etc/acpi/powerbtn.sh rix, /etc/acpi/powerbtn.sh rix,
@{bin}/dbus-send Cx -> bus, @{bin}/dbus-send Cx -> bus,

2
apparmor.d/profiles-a-f/adduser
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/adduser @{sbin}/group @{exec_path} = @{sbin}/adduser
profile adduser @{exec_path} { profile adduser @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-a-f/adequate
View file

@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) {
# shared object file): ignored. # shared object file): ignored.
@{bin}/dpkg-query rpx, @{bin}/dpkg-query rpx,
# #
@{bin}/update-alternatives rPx, @{sbin}/update-alternatives rPx,
/var/lib/adequate/pending rwk, /var/lib/adequate/pending rwk,

4
apparmor.d/profiles-a-f/atd
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/atd @{exec_path} = @{bin}/atd
profile atd @{exec_path} { profile atd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/authentication> include <abstractions/authentication>
@ -28,7 +28,7 @@ profile atd @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{sbin}/sendmail rPUx, @{sbin}/sendmail rPUx,
@{bin}/exim4 rPx, @{sbin}/exim4 rPx,
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/security/limits.d/ r, @{etc_ro}/security/limits.d/ r,

2
apparmor.d/profiles-a-f/check-bios-nx
View file

@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} {
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@{sbin}/rdmsr rPx, @{sbin}/rdmsr rPx,
owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fd/@{int} rw,

2
apparmor.d/profiles-a-f/claws-mail
View file

@ -31,7 +31,7 @@ profile claws-mail @{exec_path} flags=(complain) {
@{bin}/gpgconf rCx -> gpg, @{bin}/gpgconf rCx -> gpg,
@{bin}/orage rPUx, @{bin}/orage rPUx,
@{bin}/exim4 rPUx, @{sbin}/exim4 rPUx,
@{bin}/geany rPUx, @{bin}/geany rPUx,
/usr/share/publicsuffix/*.dafsa r, /usr/share/publicsuffix/*.dafsa r,

4
apparmor.d/profiles-a-f/deluser
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/deluser @{sbin}/delgroup @{exec_path} = @{sbin}/deluser
profile deluser @{exec_path} { profile deluser @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@ -20,7 +20,7 @@ profile deluser @{exec_path} {
@{exec_path} r, @{exec_path} r,
@{sh_path} rix, @{sh_path} rix,
@{sbin}/crontab rPx, @{bin}/crontab rPx,
@{bin}/gpasswd rPx, @{bin}/gpasswd rPx,
@{sbin}/groupdel rPx, @{sbin}/groupdel rPx,
@{bin}/mount rCx -> mount, @{bin}/mount rCx -> mount,

2
apparmor.d/profiles-a-f/dhclient-script
View file

@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} {
@{bin}/fold rix, @{bin}/fold rix,
@{bin}/head rix, @{bin}/head rix,
@{bin}/hostname rix, @{bin}/hostname rix,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/logger rix, @{bin}/logger rix,
@{bin}/mkdir rix, @{bin}/mkdir rix,
@{bin}/mv rix, @{bin}/mv rix,

2
apparmor.d/profiles-a-f/exim4
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/exim4 @{exec_path} = @{sbin}/exim4
profile exim4 @{exec_path} flags=(attach_disconnected) { profile exim4 @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system> include <abstractions/bus-system>

2
apparmor.d/profiles-a-f/fail2ban-server
View file

@ -21,7 +21,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix, @{sh_path} rix,
@{sbin}/xtables-nft-multi rix, @{sbin}/xtables-nft-multi rix,
@{sbin}/iptables rix, @{bin}/iptables rix,
@{bin}/ r, @{bin}/ r,
@{python_path} r, @{python_path} r,

2
apparmor.d/profiles-g-l/ifup
View file

@ -19,7 +19,7 @@ profile ifup @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{sh_path} rix,
@{sbin}/ip rix, @{bin}/ip rix,
@{sbin}/route rix, @{sbin}/route rix,
@{bin}/seq rix, @{bin}/seq rix,
@{bin}/sleep rix, @{bin}/sleep rix,

4
apparmor.d/profiles-g-l/inxi
View file

@ -32,7 +32,7 @@ profile inxi @{exec_path} {
@{lib}/llvm-[0-9]*/bin/clang rix, @{lib}/llvm-[0-9]*/bin/clang rix,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{sbin}/ip rCx -> ip, @{bin}/ip rCx -> ip,
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
@{bin}/udevadm rCx -> udevadm, @{bin}/udevadm rCx -> udevadm,
@ -115,7 +115,7 @@ profile inxi @{exec_path} {
network netlink raw, network netlink raw,
@{sbin}/ip mr, @{bin}/ip mr,
@{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r,

2
apparmor.d/profiles-g-l/ip
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/ip @{exec_path} = @{bin}/ip
profile ip @{exec_path} flags=(attach_disconnected) { profile ip @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-g-l/ipcalc
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/ipcalc @{exec_path} = @{bin}/ipcalc
profile ipcalc @{exec_path} { profile ipcalc @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>

2
apparmor.d/profiles-g-l/kernel
View file

@ -38,7 +38,7 @@ profile kernel @{exec_path} {
@{bin}/apt-config rPx, @{bin}/apt-config rPx,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/update-alternatives rPx, @{sbin}/update-alternatives rPx,
@{sbin}/dkms rPx, @{sbin}/dkms rPx,
@{sbin}/update-grub rPx, @{sbin}/update-grub rPx,
@{sbin}/update-initramfs rPx, @{sbin}/update-initramfs rPx,

2
apparmor.d/profiles-m-r/initramfs-hooks
View file

@ -18,7 +18,7 @@ profile initramfs-hooks @{exec_path} {
@{bin}/ischroot Px, @{bin}/ischroot Px,
@{bin}/ldd Cx -> ldd, @{bin}/ldd Cx -> ldd,
@{bin}/plymouth Px, @{bin}/plymouth Px,
@{bin}/update-alternatives Px, @{sbin}/update-alternatives Px,
@{sbin}/blkid Px, @{sbin}/blkid Px,
@{lib}/dracut/dracut-install Px, @{lib}/dracut/dracut-install Px,
@{lib}/initramfs-tools/bin/busybox ix, @{lib}/initramfs-tools/bin/busybox ix,

2
apparmor.d/profiles-m-r/initramfs-scripts
View file

@ -20,7 +20,7 @@ profile initramfs-scripts @{exec_path} {
@{bin}/ischroot Px, @{bin}/ischroot Px,
@{bin}/ldd Cx -> ldd, @{bin}/ldd Cx -> ldd,
@{bin}/plymouth Px, @{bin}/plymouth Px,
@{bin}/update-alternatives Px, @{sbin}/update-alternatives Px,
@{lib}/dracut/dracut-install Px, @{lib}/dracut/dracut-install Px,
@{lib}/initramfs-tools/bin/busybox Px, @{lib}/initramfs-tools/bin/busybox Px,
/usr/share/mdadm/mkconf Px, /usr/share/mdadm/mkconf Px,

2
apparmor.d/profiles-m-r/modprobed-db
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/modprobed-db @{exec_path} = @{bin}/modprobed-db
profile modprobed-db @{exec_path} { profile modprobed-db @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>

2
apparmor.d/profiles-s-z/setpci
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{sbin}/setpci @{exec_path} = @{bin}/setpci
profile setpci @{exec_path} flags=(complain) { profile setpci @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-s-z/syncthing
View file

@ -23,7 +23,7 @@ profile syncthing @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
@{open_path} rPx -> child-open, @{open_path} rPx -> child-open,
@{sbin}/ip rix, @{bin}/ip rix,
/usr/share/mime/{,**} r, /usr/share/mime/{,**} r,

2
apparmor.d/profiles-s-z/update-alternatives
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/update-alternatives @{exec_path} = @{sbin}/update-alternatives
profile update-alternatives @{exec_path} { profile update-alternatives @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>

2
apparmor.d/profiles-s-z/wechat
View file

@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) {
@{bin}/mkdir ix, @{bin}/mkdir ix,
@{bin}/gawk rix, @{bin}/gawk rix,
@{bin}/lsblk rPx, @{bin}/lsblk rPx,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/xdg-user-dir rix, @{bin}/xdg-user-dir rix,
@{open_path} rpx -> child-open-strict, @{open_path} rpx -> child-open-strict,

2
apparmor.d/profiles-s-z/wechat-appimage
View file

@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) {
@{bin}/mkdir ix, @{bin}/mkdir ix,
@{bin}/gawk rix, @{bin}/gawk rix,
@{bin}/lsblk rPx, @{bin}/lsblk rPx,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/xdg-user-dir rix, @{bin}/xdg-user-dir rix,
@{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix,
@{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix,

2
apparmor.d/profiles-s-z/wpa-action
View file

@ -24,7 +24,7 @@ profile wpa-action @{exec_path} {
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/date rix, @{bin}/date rix,
@{bin}/ifup rix, @{bin}/ifup rix,
@{sbin}/ip rix, @{bin}/ip rix,
@{bin}/ln rix, @{bin}/ln rix,
@{bin}/logger rix, @{bin}/logger rix,
@{bin}/rm rix, @{bin}/rm rix,

16
tests/sbin.list
View file

@ -37,6 +37,7 @@ apparmor_status
applygnupgdefaults applygnupgdefaults
aptd aptd
argdist-bpfcc argdist-bpfcc
arp
arpd arpd
aspell-autobuildhash aspell-autobuildhash
audisp-af_unix audisp-af_unix
@ -64,6 +65,7 @@ biolatency.bt
biolatpcts-bpfcc biolatpcts-bpfcc
biopattern-bpfcc biopattern-bpfcc
biosdecode biosdecode
biosdecode
biosnoop-bpfcc biosnoop-bpfcc
biosnoop.bt biosnoop.bt
biostacks.bt biostacks.bt
@ -102,6 +104,7 @@ cgdisk
chat chat
chcpu chcpu
check_mail_queue check_mail_queue
check-bios-nx
checkproc checkproc
chgpasswd chgpasswd
chkstat-polkit chkstat-polkit
@ -161,6 +164,7 @@ dmevent_tool
dmeventd dmeventd
dmfilemapd dmfilemapd
dmidecode dmidecode
dmidecode
dmraid dmraid
dmsetup dmsetup
dnsmasq dnsmasq
@ -236,6 +240,7 @@ flushb
fonts-config fonts-config
fsadm fsadm
fsck fsck
fsck.
fsck.btrfs fsck.btrfs
fsck.cramfs fsck.cramfs
fsck.exfat fsck.exfat
@ -302,6 +307,7 @@ hdparm
hwclock hwclock
hwinfo hwinfo
iconvconfig iconvconfig
ifconfig
ifrename ifrename
ifstat ifstat
import-openSUSE-build-key import-openSUSE-build-key
@ -334,6 +340,7 @@ isosize
ispell-autobuildhash ispell-autobuildhash
isserial isserial
issue-generator issue-generator
iucode_tool
iw iw
iwconfig iwconfig
iwevent iwevent
@ -362,6 +369,7 @@ killsnoop.bt
klockstat-bpfcc klockstat-bpfcc
klogd klogd
kpartx kpartx
kvm-ok
kvmexit-bpfcc kvmexit-bpfcc
ldattach ldattach
ldconfig ldconfig
@ -386,6 +394,7 @@ lpmove
luksformat luksformat
lvm lvm
lvm_import_vdo lvm_import_vdo
lvmconfig
lvmdump lvmdump
lvmpolld lvmpolld
lwepgen lwepgen
@ -405,6 +414,7 @@ mkdict
mkdosfs mkdosfs
mke2fs mke2fs
mkfs mkfs
mkfs.
mkfs.bfs mkfs.bfs
mkfs.btrfs mkfs.btrfs
mkfs.cramfs mkfs.cramfs
@ -480,6 +490,7 @@ opensnoop.bt
openvpn openvpn
overlayroot-chroot overlayroot-chroot
ownership ownership
ownership
pam_extrausers_chkpwd pam_extrausers_chkpwd
pam_extrausers_update pam_extrausers_update
pam_getenv pam_getenv
@ -547,6 +558,7 @@ rcxdm
rcxvnc rcxvnc
rdma rdma
rdmaucma-bpfcc rdmaucma-bpfcc
rdmsr
readahead-bpfcc readahead-bpfcc
readprofile readprofile
realm realm
@ -558,11 +570,13 @@ request-key
reset-trace-bpfcc reset-trace-bpfcc
resize2fs resize2fs
resizepart resizepart
resolvconf
rfkill rfkill
rmt-tar rmt-tar
rndc rndc
rndc-confgen rndc-confgen
rngd rngd
route
routel routel
rpc.gssd rpc.gssd
rpc.idmapd rpc.idmapd
@ -778,6 +792,7 @@ visudo
vmcore-dmesg vmcore-dmesg
vncsession vncsession
vpddecode vpddecode
vpddecode
vpnc vpnc
vpnc-disconnect vpnc-disconnect
wakeuptime-bpfcc wakeuptime-bpfcc
@ -789,6 +804,7 @@ wpa_passphrase
wpa_supplicant wpa_supplicant
wqlat-bpfcc wqlat-bpfcc
writeback.bt writeback.bt
wrmsr
xfs_admin xfs_admin
xfs_bmap xfs_bmap
xfs_copy xfs_copy