chore(profile): add abi and local include when missing.

2024-10-06 15:57:47 +01:00 · 2024-10-06 15:57:47 +01:00 · 7ccaab8234
commit 7ccaab8234
parent 105a9b4def
61 changed files with 84 additions and 28 deletions
--- a/apparmor.d/profiles-a-f/acpi-powerbtn
+++ b/apparmor.d/profiles-a-f/acpi-powerbtn
@ -43,6 +43,8 @@ profile acpi-powerbtn flags=(attach_disconnected) {

          /dev/tty       rw,
    owner /dev/tty@{int} rw,
+
+    include if exists <local/acpi-powerbtn_fgconsole>
  }

  profile bus flags=(complain) {
--- a/apparmor.d/profiles-a-f/adequate
+++ b/apparmor.d/profiles-a-f/adequate
@ -64,6 +64,7 @@ profile adequate @{exec_path} flags=(complain) {
    @{lib}/@{multiarch}/ld-*.so rix,
    @{lib}{,x}32/ld-*.so        rix,

+    include if exists <local/adequate_ldd>
  }

  profile frontend flags=(complain) {
@ -98,6 +99,7 @@ profile adequate @{exec_path} flags=(complain) {

    /etc/shadow r,

+    include if exists <local/adequate_frontend>
  }

  profile pkg-config flags=(complain) {
@ -105,6 +107,7 @@ profile adequate @{exec_path} flags=(complain) {

    @{bin}/pkg-config mr,

+    include if exists <local/adequate_pkg-config>
  }

  include if exists <local/adequate>
--- a/apparmor.d/profiles-a-f/anacron
+++ b/apparmor.d/profiles-a-f/anacron
@ -39,7 +39,7 @@ profile anacron @{exec_path} {
    owner @{tmp}/#@{int} rw,
    owner @{tmp}/file@{rand6} rw,

-   include if exists <local/anacron_run_parts>
+    include if exists <local/anacron_run-parts>
  }

  include if exists <local/anacron>
--- a/apparmor.d/profiles-a-f/archivemount
+++ b/apparmor.d/profiles-a-f/archivemount
@ -29,7 +29,6 @@ profile archivemount @{exec_path} {

  /dev/fuse rw,

-
  profile fusermount {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
@ -52,6 +51,7 @@ profile archivemount @{exec_path} {

    @{PROC}/@{pid}/mounts r,

+    include if exists <local/archivemount_fusermount>
  }

  include if exists <local/archivemount>
--- a/apparmor.d/profiles-a-f/aspell-autobuildhash
+++ b/apparmor.d/profiles-a-f/aspell-autobuildhash
@ -69,6 +69,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) {
    owner @{PROC}/@{pid}/mounts r,
    @{HOME}/.Xauthority r,

+    include if exists <local/aspell-autobuildhash_frontend>
  }

  include if exists <local/aspell-autobuildhash>
--- a/apparmor.d/profiles-a-f/changestool
+++ b/apparmor.d/profiles-a-f/changestool
@ -33,6 +33,7 @@ profile changestool @{exec_path} {
    owner @{HOME}/@{XDG_GPG_DIR}/ r,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

+    include if exists <local/changestool_gpg>
  }

  include if exists <local/changestool>
--- a/apparmor.d/profiles-a-f/check-support-status
+++ b/apparmor.d/profiles-a-f/check-support-status
@ -65,7 +65,6 @@ profile check-support-status @{exec_path} {
  /usr/share/debian-security-support/ r,
  /usr/share/debian-security-support/* r,

-
  profile debconf-escape {
    include <abstractions/base>
    include <abstractions/perl>
@ -75,6 +74,7 @@ profile check-support-status @{exec_path} {

    owner @{tmp}/debian-security-support.postinst.*/output r,

+    include if exists <local/check-support-status_debconf-escape>
  }

  include if exists <local/check-support-status>
--- a/apparmor.d/profiles-a-f/check-support-status-hook
+++ b/apparmor.d/profiles-a-f/check-support-status-hook
@ -58,6 +58,7 @@ profile check-support-status-hook @{exec_path} {
          /tmp/ r,
    owner @{tmp}/debian-security-support.postinst.*/output r,

+    include if exists <local/check-support-status-hook_debconf-escape>
  }

  profile frontend {
@ -90,6 +91,7 @@ profile check-support-status-hook @{exec_path} {
    owner @{PROC}/@{pid}/mounts r,
    @{HOME}/.Xauthority r,

+    include if exists <local/check-support-status-hook_frontend>
  }

  profile runuser {
@ -124,6 +126,8 @@ profile check-support-status-hook @{exec_path} {

          /tmp/ r,
    owner @{tmp}/debian-security-support.postinst.*/output w,
+
+    include if exists <local/check-support-status-hook_runuser>
  }

  include if exists <local/check-support-status-hook>
--- a/apparmor.d/profiles-a-f/chpasswd
+++ b/apparmor.d/profiles-a-f/chpasswd
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+abi <abi/4.0>,
+
 include <tunables/global>

@{exec_path} = @{bin}/chpasswd
--- a/apparmor.d/profiles-a-f/claws-mail
+++ b/apparmor.d/profiles-a-f/claws-mail
@ -66,6 +66,7 @@ profile claws-mail @{exec_path} flags=(complain) {
    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

+    include if exists <local/claws-mail_gpg>
  }

  include if exists <local/claws-mail>
--- a/apparmor.d/profiles-a-f/conky
+++ b/apparmor.d/profiles-a-f/conky
@ -200,6 +200,7 @@ profile conky @{exec_path} {
    deny @{PROC}/@{pid}/net/route r,
    deny @{sys}/devices/**/hwmon/**/temp*_input r,

+    include if exists <local/conky_browse>
  }

  include if exists <local/conky>
--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@ -2,6 +2,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+abi <abi/4.0>,
+
 include <tunables/global>

@{exec_path} = @{bin}/cupsd
--- a/apparmor.d/profiles-a-f/deluser
+++ b/apparmor.d/profiles-a-f/deluser
@ -48,6 +48,7 @@ profile deluser @{exec_path} {

    @{sys}/devices/virtual/block/**/name r,

+    include if exists <local/deluser_mount>
  }

  include if exists <local/deluser>
--- a/apparmor.d/profiles-a-f/dhclient-script
+++ b/apparmor.d/profiles-a-f/dhclient-script
@ -77,6 +77,7 @@ profile dhclient-script @{exec_path} {
    # file_inherit
    owner /var/lib/dhcp/dhclient.leases r,

+    include if exists <local/dhclient-script_run-parts>
  }

  include if exists <local/dhclient-script>
--- a/apparmor.d/profiles-a-f/dlocate
+++ b/apparmor.d/profiles-a-f/dlocate
@ -49,7 +49,6 @@ profile dlocate @{exec_path} {

  / r,

-
  profile md5sum {
    include <abstractions/base>

@ -59,6 +58,7 @@ profile dlocate @{exec_path} {
    /boot/** r,
    /usr/** r,

+    include if exists <local/dlocate_md5sum>
  }

  include if exists <local/dlocate>
--- a/apparmor.d/profiles-a-f/etckeeper
+++ b/apparmor.d/profiles-a-f/etckeeper
@ -73,6 +73,7 @@ profile etckeeper @{exec_path} {

    owner @{PROC}/@{pid}/fd/ r,

+    include if exists <local/etckeeper_gpg>
  }

  include if exists <local/etckeeper>
--- a/apparmor.d/profiles-a-f/execute-dput
+++ b/apparmor.d/profiles-a-f/execute-dput
@ -46,6 +46,7 @@ profile execute-dput @{exec_path} flags=(complain) {
    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

+    include if exists <local/execute-dput_gpg>
  }

  include if exists <local/execute-dput>
--- a/apparmor.d/profiles-a-f/frontend
+++ b/apparmor.d/profiles-a-f/frontend
@ -121,6 +121,7 @@ profile frontend @{exec_path} flags=(complain) {
          /tmp/     r,
    owner @{tmp}/**   rw,

+    include if exists <local/frontend_scripts>
  }

  include if exists <local/frontend>
--- a/apparmor.d/profiles-a-f/fuseiso
+++ b/apparmor.d/profiles-a-f/fuseiso
@ -58,6 +58,7 @@ profile fuseiso @{exec_path} {

    /dev/fuse rw,

+    include if exists <local/fuseiso_fusermount>
  }

  include if exists <local/fuseiso>
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@ -54,7 +54,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
  profile bus flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/app/bus>
-    include if exists <local/fwupdmgr_dbus>
+    include if exists <local/fwupdmgr_bus>
  }

  include if exists <local/fwupdmgr>