feat(profiles): new definition for MOUNTs, add MOUNTDIRS.

2022-06-12 22:51:37 +01:00 · 2022-06-12 22:51:37 +01:00 · 779853dc7f
commit 779853dc7f
parent 9493e783ce
62 changed files with 198 additions and 203 deletions
--- a/apparmor.d/profiles-g-l/gdisk
+++ b/apparmor.d/profiles-g-l/gdisk
@ -24,13 +24,13 @@ profile gdisk @{exec_path} {

  # For disk images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  # For backups
  owner @{HOME}/**.{bak,back} rwk,
-  owner @{MOUNTS}/*/**.{bak,back} rwk,
+  owner @{MOUNTS}/**.{bak,back} rwk,

  include if exists <local/gdisk>
 }
--- a/apparmor.d/profiles-g-l/gpartedbin
+++ b/apparmor.d/profiles-g-l/gpartedbin
@ -153,8 +153,8 @@ profile gpartedbin @{exec_path} {
    mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/,

    mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/,
+    mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
    mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
-    mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,

    @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/ r,
    @{sys}/devices/pci[0-9]*/**/block/{s,v}d[a-z]/dev r,
@ -176,8 +176,8 @@ profile gpartedbin @{exec_path} {
    umount /tmp/gparted-*/,

    umount /boot/,
+    umount @{MOUNTS}/,
    umount @{MOUNTS}/*/,
-    umount @{MOUNTS}/*/*/,

    owner @{PROC}/@{pid}/mountinfo r,

--- a/apparmor.d/profiles-g-l/hdparm
+++ b/apparmor.d/profiles-g-l/hdparm
@ -30,9 +30,9 @@ profile hdparm @{exec_path} flags=(complain) {

  # Image files
  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
-  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
+  @{MOUNTS}/**.{iso,img,bin,mdf,nrg} r,
  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
-  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
+  @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} r,

  include if exists <local/hdparm>
 }
--- a/apparmor.d/profiles-g-l/keepassxc-proxy
+++ b/apparmor.d/profiles-g-l/keepassxc-proxy
@ -29,7 +29,7 @@ profile keepassxc-proxy @{exec_path} {
  #
  deny owner @{HOME}/.mozilla/** rw,
  deny owner @{user_cache_dirs}/mozilla/** rw,
-  deny owner @{MOUNTS}/*/.mozilla/** rw,
+  deny owner @{MOUNTS}/.mozilla/** rw,
  deny owner /tmp/firefox*/.parentlock rw,
  deny owner /tmp/tmp-*.xpi rw,
  deny owner /tmp/tmpaddon r,