feat(profiles): new definition for MOUNTs, add MOUNTDIRS.

2022-06-12 22:51:37 +01:00 · 2022-06-12 22:51:37 +01:00 · 779853dc7f
commit 779853dc7f
parent 9493e783ce
62 changed files with 198 additions and 203 deletions
--- a/apparmor.d/profiles-a-f/badblocks
+++ b/apparmor.d/profiles-a-f/badblocks
@ -19,7 +19,7 @@ profile badblocks @{exec_path} {

  # A place for a list of already existing known bad blocks
  @{HOME}/* rwk,
-  @{MOUNTS}/*/** rwk,
+  @{MOUNTS}/** rwk,

  include if exists <local/badblocks>
 }
--- a/apparmor.d/profiles-a-f/blkid
+++ b/apparmor.d/profiles-a-f/blkid
@ -31,9 +31,9 @@ profile blkid @{exec_path} {

  # Image files
  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
-  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
+  @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
-  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
+  @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,

  include if exists <local/blkid>
 }
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@ -35,10 +35,10 @@ profile borg @{exec_path} {
  /{usr/,}bin/ccache                 rCx -> ccache,
  /{usr/,}bin/fusermount{,3}         rCx -> fusermount,

+  mount fstype=fuse -> @{MOUNTS}/,
  mount fstype=fuse -> @{MOUNTS}/*/,
-  mount fstype=fuse -> @{MOUNTS}/*/*/,
+  umount @{MOUNTS}/,
  umount @{MOUNTS}/*/,
-  umount @{MOUNTS}/*/*/,

  /dev/fuse rw,

@ -114,8 +114,8 @@ profile borg @{exec_path} {

    /etc/fuse.conf r,

+    umount @{MOUNTS}/,
    umount @{MOUNTS}/*/,
-    umount @{MOUNTS}/*/*/,
  
    @{PROC}/@{pids}/mounts r,

--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@ -33,18 +33,18 @@ profile btrfs @{exec_path} {
  /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk,

  # Saved metadata
+  @{MOUNTS}/ r,
+  @{MOUNTS}/ext2_saved/ rw,
+  @{MOUNTS}/ext2_saved/image rw,
  @{MOUNTS}/*/ r,
  @{MOUNTS}/*/ext2_saved/ rw,
  @{MOUNTS}/*/ext2_saved/image rw,
-  @{MOUNTS}/*/*/ r,
-  @{MOUNTS}/*/*/ext2_saved/ rw,
-  @{MOUNTS}/*/*/ext2_saved/image rw,

  # To be able to manage btrfs volumes
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  /dev/btrfs-control rw,

--- a/apparmor.d/profiles-a-f/btrfs-find-root
+++ b/apparmor.d/profiles-a-f/btrfs-find-root
@ -15,9 +15,9 @@ profile btrfs-find-root @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/btrfs-find-root>
 }
--- a/apparmor.d/profiles-a-f/btrfs-image
+++ b/apparmor.d/profiles-a-f/btrfs-image
@ -17,9 +17,9 @@ profile btrfs-image @{exec_path} {

  # Image files
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/btrfs-image>
 }
--- a/apparmor.d/profiles-a-f/btrfs-map-logical
+++ b/apparmor.d/profiles-a-f/btrfs-map-logical
@ -15,9 +15,9 @@ profile btrfs-map-logical @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/btrfs-map-logical>
 }
--- a/apparmor.d/profiles-a-f/cfdisk
+++ b/apparmor.d/profiles-a-f/cfdisk
@ -25,13 +25,13 @@ profile cfdisk @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  # A place for backups
  owner @{HOME}/**.{bak,back} rwk,
-  owner @{MOUNTS}/*/**.{bak,back} rwk,
+  owner @{MOUNTS}/**.{bak,back} rwk,

  include if exists <local/cfdisk>
 }
--- a/apparmor.d/profiles-a-f/cgdisk
+++ b/apparmor.d/profiles-a-f/cgdisk
@ -17,13 +17,13 @@ profile cgdisk @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  # A place for backups
  owner @{HOME}/**.{bak,back} rwk,
-  owner @{MOUNTS}/*/**.{bak,back} rwk,
+  owner @{MOUNTS}/**.{bak,back} rwk,

  include if exists <local/cgdisk>
 }
--- a/apparmor.d/profiles-a-f/dumpe2fs
+++ b/apparmor.d/profiles-a-f/dumpe2fs
@ -19,9 +19,9 @@ profile dumpe2fs @{exec_path} {

  # Image files
  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
-  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
+  @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
-  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
+  @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,

  include if exists <local/dumpe2fs>
 }
--- a/apparmor.d/profiles-a-f/e2fsck
+++ b/apparmor.d/profiles-a-f/e2fsck
@ -28,9 +28,9 @@ profile e2fsck @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/e2fsck>
 }
--- a/apparmor.d/profiles-a-f/e2image
+++ b/apparmor.d/profiles-a-f/e2image
@ -19,9 +19,9 @@ profile e2image @{exec_path} {

  # A place for the metadata image file
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/e2image>
 }
--- a/apparmor.d/profiles-a-f/f3read
+++ b/apparmor.d/profiles-a-f/f3read
@ -13,14 +13,14 @@ profile f3read @{exec_path} {
  @{exec_path} mr,

  # USB drive mount locations
+  @{MOUNTDIRS} r,
+  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,
-  @{MOUNTS}/*/*/ r,
-  /mnt/ r,

  # To be able to read h2w files
+  owner @{MOUNTDIRS}/[0-9]*.h2w r,
+  owner @{MOUNTS}/[0-9]*.h2w r,
  owner @{MOUNTS}/*/[0-9]*.h2w r,
-  owner @{MOUNTS}/*/*/[0-9]*.h2w r,
-  owner /mnt/[0-9]*.h2w r,

  include if exists <local/f3read>
 }
--- a/apparmor.d/profiles-a-f/f3write
+++ b/apparmor.d/profiles-a-f/f3write
@ -17,14 +17,14 @@ profile f3write @{exec_path} {
  @{exec_path} mr,

  # USB drive mount locations
+  @{MOUNTDIRS} r,
+  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,
-  @{MOUNTS}/*/*/ r,
-  /mnt/ r,

  # To be able to write h2w files
+  owner @{MOUNTDIRS}/[0-9]*.h2w w,
+  owner @{MOUNTS}/[0-9]*.h2w w,
  owner @{MOUNTS}/*/[0-9]*.h2w w,
-  owner @{MOUNTS}/*/*/[0-9]*.h2w w,
-  owner /mnt/[0-9]*.h2w w,

  include if exists <local/f3write>
 }
--- a/apparmor.d/profiles-a-f/fdisk
+++ b/apparmor.d/profiles-a-f/fdisk
@ -27,13 +27,13 @@ profile fdisk @{exec_path} {

  # For disk images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  # For backups
  owner @{HOME}/**.{bak,back} rwk,
-  owner @{MOUNTS}/*/**.{bak,back} rwk,
+  owner @{MOUNTS}/**.{bak,back} rwk,

  include if exists <local/fdisk>
 }
--- a/apparmor.d/profiles-a-f/fsck
+++ b/apparmor.d/profiles-a-f/fsck
@ -24,7 +24,7 @@ profile fsck @{exec_path} {
  /etc/fstab r,

  # When a mount dir is passed to fsck as an argument.
-  @{MOUNTS}/*/ r,
+  @{MOUNTS}/ r,
  /boot/ r,
  /home/ r,

--- a/apparmor.d/profiles-a-f/fsck-fat
+++ b/apparmor.d/profiles-a-f/fsck-fat
@ -16,9 +16,9 @@ profile fsck-fat @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  owner @{run}/systemd/fsck.progress rw,

--- a/apparmor.d/profiles-a-f/fuseiso
+++ b/apparmor.d/profiles-a-f/fuseiso
@ -27,9 +27,9 @@ profile fuseiso @{exec_path} {

  # Image files to be mounted
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  owner @{HOME}/.mtab.fuseiso rwk,
  owner @{HOME}/.mtab.fuseiso.new rw,
@ -60,9 +60,9 @@ profile fuseiso @{exec_path} {

    # Image files to be mounted
    owner @{HOME}/**.{iso,img,bin,mdf,nrg} r,
-    owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
+    owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
    owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
-    owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
+    owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,

  }