felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(profile): add abi and local include when missing.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-06 15:57:47 +01:00
parent 105a9b4def
commit 7ccaab8234
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
61 changed files with 84 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/apt-key
View file

@ -102,7 +102,7 @@ profile apt-key @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw,
include if exists <local/apt-key_pgp> include if exists <local/apt-key_gpg>
} }
include if exists <local/apt-key> include if exists <local/apt-key>

1
apparmor.d/groups/apt/debconf-apt-progress
View file

@ -46,6 +46,7 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
/etc/shadow r, /etc/shadow r,
include if exists <local/debconf-apt-progress_frontend>
} }
include if exists <local/debconf-apt-progress> include if exists <local/debconf-apt-progress>

1
apparmor.d/groups/apt/dpkg-architecture
View file

@ -45,6 +45,7 @@ profile dpkg-architecture @{exec_path} {
/etc/debian_version r, /etc/debian_version r,
include if exists <local/dpkg-architecture_ccache>
} }
include if exists <local/dpkg-architecture> include if exists <local/dpkg-architecture>

2
apparmor.d/groups/cron/cron
View file

@ -74,7 +74,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
include if exists <local/cron_run_parts> include if exists <local/cron_run-parts>
} }
include if exists <local/cron> include if exists <local/cron>

1
apparmor.d/groups/cron/cron-apt-listbugs
View file

@ -33,6 +33,7 @@ profile cron-apt-listbugs @{exec_path} {
/var/spool/apt-listbugs/lastprefclean rw, /var/spool/apt-listbugs/lastprefclean rw,
include if exists <local/cron-apt-listbugs_prefclean>
} }
include if exists <local/cron-apt-listbugs> include if exists <local/cron-apt-listbugs>

1
apparmor.d/groups/cron/cron-debsums
View file

@ -43,6 +43,7 @@ profile cron-debsums @{exec_path} {
owner @{PROC}/@{pid}/fd/3 rw, owner @{PROC}/@{pid}/fd/3 rw,
include if exists <local/cron-debsums_tee>
} }
include if exists <local/cron-debsums> include if exists <local/cron-debsums>

2
apparmor.d/groups/cron/cron-popularity-contest
View file

@ -152,7 +152,7 @@ profile cron-popularity-contest @{exec_path} {
owner @{tmp}/#@{int} rw, # file_inherit owner @{tmp}/#@{int} rw, # file_inherit
include if exists <local/cron-popularity-contest_/popcon-upload> include if exists <local/cron-popularity-contest_popcon-upload>
} }
include if exists <local/cron-popularity-contest> include if exists <local/cron-popularity-contest>

2
apparmor.d/groups/freedesktop/xdg-desktop-icon
View file

@ -39,7 +39,7 @@ profile xdg-desktop-icon @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/bus> include <abstractions/app/bus>
include <abstractions/bus-session> include <abstractions/bus-session>
include if exists <local/xdg-settings_bus> include if exists <local/xdg-desktop-icon_bus>
} }
include if exists <local/xdg-desktop-icon> include if exists <local/xdg-desktop-icon>

2
apparmor.d/groups/gnome/gdm-prime-defaut
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default @{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default
profile gdm-defaut @{exec_path} flags=(complain) { profile gdm-prime-defaut @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
@{exec_path} mr, @{exec_path} mr,

2
apparmor.d/groups/network/openvpn
View file

@ -90,6 +90,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
/etc/iproute2/rt_tables r, /etc/iproute2/rt_tables r,
/etc/iproute2/rt_tables.d/ r, /etc/iproute2/rt_tables.d/ r,
include if exists <local/openvpn_update-resolv>
} }
profile force-user-traffic-via-vpn { profile force-user-traffic-via-vpn {
@ -121,6 +122,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/sys/net/ipv{4,}/route/flush w, owner @{PROC}/sys/net/ipv{4,}/route/flush w,
include if exists <local/openvpn_force-user-traffic-via-vpn>
} }
include if exists <local/openvpn> include if exists <local/openvpn>

2
apparmor.d/groups/pacman/yay
View file

@ -60,7 +60,7 @@ profile yay @{exec_path} {
owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**, owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**,
owner @{user_config_dirs}/git/{,*} r, owner @{user_config_dirs}/git/{,*} r,
include if exists <local/pass_git> include if exists <local/yay_git>
} }
profile editor { profile editor {

2
apparmor.d/groups/ssh/ssh-sk-helper
View file

@ -2,6 +2,8 @@
# Copyright (C) 2024 valoq <valoq@mailbox.org> # Copyright (C) 2024 valoq <valoq@mailbox.org>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{lib}/ssh/ssh-sk-helper @{exec_path} = @{lib}/ssh/ssh-sk-helper

2
apparmor.d/groups/systemd/journalctl
View file

@ -55,7 +55,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
deny network inet stream, deny network inet stream,
deny network inet6 stream, deny network inet6 stream,
include if exists <local/systemd-journalctl> include if exists <local/journalctl>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/groups/systemd/systemd-resolved
View file

@ -50,7 +50,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
@{PROC}/sys/kernel/hostname r, @{PROC}/sys/kernel/hostname r,
@{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
include if exists <local/systemd-timesyncd> include if exists <local/systemd-resolved>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

0
apparmor.d/groups/systemd/systemd-sleep-grub2 → apparmor.d/groups/systemd/systemd-sleep-grub
View file

1
apparmor.d/groups/ubuntu/subiquity-console-conf
View file

@ -109,6 +109,7 @@ profile subiquity-console-conf @{exec_path} {
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/etc/machine-id r, /etc/machine-id r,
include if exists <local/subiquity-console-conf_journalctl>
} }
include if exists <local/subiquity-console-conf> include if exists <local/subiquity-console-conf>

1
apparmor.d/groups/ubuntu/ubuntu-advantage
View file

@ -87,6 +87,7 @@ profile ubuntu-advantage @{exec_path} {
/dev/kmsg w, /dev/kmsg w,
include if exists <local/ubuntu-advantage_systemctl>
} }
include if exists <local/ubuntu-advantage> include if exists <local/ubuntu-advantage>

1
apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
View file

@ -45,6 +45,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
/dev/tty@{int} rw, /dev/tty@{int} rw,
include if exists <local/update-motd-fsck-at-reboot_mount>
} }
include if exists <local/update-motd-fsck-at-reboot> include if exists <local/update-motd-fsck-at-reboot>

2
apparmor.d/groups/virt/libvirtd
View file

@ -290,6 +290,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
owner @{PROC}/@{pids}/status r, owner @{PROC}/@{pids}/status r,
/dev/net/tun rw, /dev/net/tun rw,
include if exists <local/libvirtd_qemu_bridge_helper>
} }
include if exists <usr/libvirtd> include if exists <usr/libvirtd>

4
apparmor.d/groups/whonix/whonix-firewalld
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/whonix_firewall @{lib}/whonix-firewall/reloadfirewall @{exec_path} = @{bin}/whonix_firewall @{lib}/whonix-firewall/reloadfirewall
profile whonix-firewall @{exec_path} { profile whonix-firewalld @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -45,7 +45,7 @@ profile whonix-firewall @{exec_path} {
owner @{run}/updatesproxycheck/{,**} rw, owner @{run}/updatesproxycheck/{,**} rw,
owner @{run}/whonix_firewall/{,**} rw, owner @{run}/whonix_firewall/{,**} rw,
include if exists <local/whonix-firewall> include if exists <local/whonix-firewalld>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/groups/xfce/xfce-panel
View file

@ -48,7 +48,7 @@ profile xfce-panel @{exec_path} {
@{bin}/lsblk rPx, @{bin}/lsblk rPx,
include if exists <local/xfce-panel-wrapper_root> include if exists <local/xfce-panel_root>
} }
include if exists <local/xfce-panel> include if exists <local/xfce-panel>

2
apparmor.d/profiles-a-f/acpi-powerbtn
View file

@ -43,6 +43,8 @@ profile acpi-powerbtn flags=(attach_disconnected) {
/dev/tty rw, /dev/tty rw,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
include if exists <local/acpi-powerbtn_fgconsole>
} }
profile bus flags=(complain) { profile bus flags=(complain) {

3
apparmor.d/profiles-a-f/adequate
View file

@ -64,6 +64,7 @@ profile adequate @{exec_path} flags=(complain) {
@{lib}/@{multiarch}/ld-*.so rix, @{lib}/@{multiarch}/ld-*.so rix,
@{lib}{,x}32/ld-*.so rix, @{lib}{,x}32/ld-*.so rix,
include if exists <local/adequate_ldd>
} }
profile frontend flags=(complain) { profile frontend flags=(complain) {
@ -98,6 +99,7 @@ profile adequate @{exec_path} flags=(complain) {
/etc/shadow r, /etc/shadow r,
include if exists <local/adequate_frontend>
} }
profile pkg-config flags=(complain) { profile pkg-config flags=(complain) {
@ -105,6 +107,7 @@ profile adequate @{exec_path} flags=(complain) {
@{bin}/pkg-config mr, @{bin}/pkg-config mr,
include if exists <local/adequate_pkg-config>
} }
include if exists <local/adequate> include if exists <local/adequate>

2
apparmor.d/profiles-a-f/anacron
View file

@ -39,7 +39,7 @@ profile anacron @{exec_path} {
owner @{tmp}/#@{int} rw, owner @{tmp}/#@{int} rw,
owner @{tmp}/file@{rand6} rw, owner @{tmp}/file@{rand6} rw,
include if exists <local/anacron_run_parts> include if exists <local/anacron_run-parts>
} }
include if exists <local/anacron> include if exists <local/anacron>

2
apparmor.d/profiles-a-f/archivemount
View file

@ -29,7 +29,6 @@ profile archivemount @{exec_path} {
/dev/fuse rw, /dev/fuse rw,
profile fusermount { profile fusermount {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@ -52,6 +51,7 @@ profile archivemount @{exec_path} {
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
include if exists <local/archivemount_fusermount>
} }
include if exists <local/archivemount> include if exists <local/archivemount>

1
apparmor.d/profiles-a-f/aspell-autobuildhash
View file

@ -69,6 +69,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
include if exists <local/aspell-autobuildhash_frontend>
} }
include if exists <local/aspell-autobuildhash> include if exists <local/aspell-autobuildhash>

1
apparmor.d/profiles-a-f/changestool
View file

@ -33,6 +33,7 @@ profile changestool @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/ r, owner @{HOME}/@{XDG_GPG_DIR}/ r,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
include if exists <local/changestool_gpg>
} }
include if exists <local/changestool> include if exists <local/changestool>

2
apparmor.d/profiles-a-f/check-support-status
View file

@ -65,7 +65,6 @@ profile check-support-status @{exec_path} {
/usr/share/debian-security-support/ r, /usr/share/debian-security-support/ r,
/usr/share/debian-security-support/* r, /usr/share/debian-security-support/* r,
profile debconf-escape { profile debconf-escape {
include <abstractions/base> include <abstractions/base>
include <abstractions/perl> include <abstractions/perl>
@ -75,6 +74,7 @@ profile check-support-status @{exec_path} {
owner @{tmp}/debian-security-support.postinst.*/output r, owner @{tmp}/debian-security-support.postinst.*/output r,
include if exists <local/check-support-status_debconf-escape>
} }
include if exists <local/check-support-status> include if exists <local/check-support-status>

4
apparmor.d/profiles-a-f/check-support-status-hook
View file

@ -58,6 +58,7 @@ profile check-support-status-hook @{exec_path} {
/tmp/ r, /tmp/ r,
owner @{tmp}/debian-security-support.postinst.*/output r, owner @{tmp}/debian-security-support.postinst.*/output r,
include if exists <local/check-support-status-hook_debconf-escape>
} }
profile frontend { profile frontend {
@ -90,6 +91,7 @@ profile check-support-status-hook @{exec_path} {
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r, @{HOME}/.Xauthority r,
include if exists <local/check-support-status-hook_frontend>
} }
profile runuser { profile runuser {
@ -124,6 +126,8 @@ profile check-support-status-hook @{exec_path} {
/tmp/ r, /tmp/ r,
owner @{tmp}/debian-security-support.postinst.*/output w, owner @{tmp}/debian-security-support.postinst.*/output w,
include if exists <local/check-support-status-hook_runuser>
} }
include if exists <local/check-support-status-hook> include if exists <local/check-support-status-hook>

2
apparmor.d/profiles-a-f/chpasswd
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/chpasswd @{exec_path} = @{bin}/chpasswd

1
apparmor.d/profiles-a-f/claws-mail
View file

@ -66,6 +66,7 @@ profile claws-mail @{exec_path} flags=(complain) {
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
include if exists <local/claws-mail_gpg>
} }
include if exists <local/claws-mail> include if exists <local/claws-mail>

1
apparmor.d/profiles-a-f/conky
View file

@ -200,6 +200,7 @@ profile conky @{exec_path} {
deny @{PROC}/@{pid}/net/route r, deny @{PROC}/@{pid}/net/route r,
deny @{sys}/devices/**/hwmon/**/temp*_input r, deny @{sys}/devices/**/hwmon/**/temp*_input r,
include if exists <local/conky_browse>
} }
include if exists <local/conky> include if exists <local/conky>

2
apparmor.d/profiles-a-f/cupsd
View file

@ -2,6 +2,8 @@
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/cupsd @{exec_path} = @{bin}/cupsd

1
apparmor.d/profiles-a-f/deluser
View file

@ -48,6 +48,7 @@ profile deluser @{exec_path} {
@{sys}/devices/virtual/block/**/name r, @{sys}/devices/virtual/block/**/name r,
include if exists <local/deluser_mount>
} }
include if exists <local/deluser> include if exists <local/deluser>

1
apparmor.d/profiles-a-f/dhclient-script
View file

@ -77,6 +77,7 @@ profile dhclient-script @{exec_path} {
# file_inherit # file_inherit
owner /var/lib/dhcp/dhclient.leases r, owner /var/lib/dhcp/dhclient.leases r,
include if exists <local/dhclient-script_run-parts>
} }
include if exists <local/dhclient-script> include if exists <local/dhclient-script>

2
apparmor.d/profiles-a-f/dlocate
View file

@ -49,7 +49,6 @@ profile dlocate @{exec_path} {
/ r, / r,
profile md5sum { profile md5sum {
include <abstractions/base> include <abstractions/base>
@ -59,6 +58,7 @@ profile dlocate @{exec_path} {
/boot/** r, /boot/** r,
/usr/** r, /usr/** r,
include if exists <local/dlocate_md5sum>
} }
include if exists <local/dlocate> include if exists <local/dlocate>

1
apparmor.d/profiles-a-f/etckeeper
View file

@ -73,6 +73,7 @@ profile etckeeper @{exec_path} {
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
include if exists <local/etckeeper_gpg>
} }
include if exists <local/etckeeper> include if exists <local/etckeeper>

1
apparmor.d/profiles-a-f/execute-dput
View file

@ -46,6 +46,7 @@ profile execute-dput @{exec_path} flags=(complain) {
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
include if exists <local/execute-dput_gpg>
} }
include if exists <local/execute-dput> include if exists <local/execute-dput>

1
apparmor.d/profiles-a-f/frontend
View file

@ -121,6 +121,7 @@ profile frontend @{exec_path} flags=(complain) {
/tmp/ r, /tmp/ r,
owner @{tmp}/** rw, owner @{tmp}/** rw,
include if exists <local/frontend_scripts>
} }
include if exists <local/frontend> include if exists <local/frontend>

1
apparmor.d/profiles-a-f/fuseiso
View file

@ -58,6 +58,7 @@ profile fuseiso @{exec_path} {
/dev/fuse rw, /dev/fuse rw,
include if exists <local/fuseiso_fusermount>
} }
include if exists <local/fuseiso> include if exists <local/fuseiso>

2
apparmor.d/profiles-a-f/fwupdmgr
View file

@ -54,7 +54,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
profile bus flags=(attach_disconnected) { profile bus flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/bus> include <abstractions/app/bus>
include if exists <local/fwupdmgr_dbus> include if exists <local/fwupdmgr_bus>
} }
include if exists <local/fwupdmgr> include if exists <local/fwupdmgr>

2
apparmor.d/profiles-g-l/gpartedbin
View file

@ -94,7 +94,7 @@ profile gpartedbin @{exec_path} {
@{bin}/mount mr, @{bin}/mount mr,
include if exists <local/gpartedbin_umount> include if exists <local/gpartedbin_mount>
} }
profile umount { profile umount {

1
apparmor.d/profiles-g-l/i3lock-fancy
View file

@ -67,6 +67,7 @@ profile i3lock-fancy @{exec_path} {
# file_inherit # file_inherit
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
include if exists <local/i3lock-fancy_imagemagic>
} }
include if exists <local/i3lock-fancy> include if exists <local/i3lock-fancy>

1
apparmor.d/profiles-g-l/ifup
View file

@ -92,6 +92,7 @@ profile ifup @{exec_path} {
/etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/openvpn rPUx,
/etc/network/if-up.d/wpasupplicant rPUx, /etc/network/if-up.d/wpasupplicant rPUx,
include if exists <local/ifup_run-parts>
} }
profile kmod { profile kmod {

2
apparmor.d/profiles-g-l/imv-wayland → apparmor.d/profiles-g-l/imv
View file

@ -25,7 +25,7 @@ profile imv @{exec_path} {
owner @{run}/user/@{uid}/imv-*.sock w, owner @{run}/user/@{uid}/imv-*.sock w,
include if exists <local/imv-wayland> include if exists <local/imv>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/profiles-g-l/initd-kexec-load
View file

@ -48,6 +48,7 @@ profile initd-kexec-load @{exec_path} {
/etc/default/kexec.d/ r, /etc/default/kexec.d/ r,
include if exists <local/initd-kexec-load_run-parts>
} }
profile systemctl { profile systemctl {
@ -74,6 +75,7 @@ profile initd-kexec-load @{exec_path} {
owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password/ rw,
owner @{run}/systemd/ask-password-block/* rw, owner @{run}/systemd/ask-password-block/* rw,
include if exists <local/initd-kexec-load_systemctl>
} }
include if exists <local/initd-kexec-load> include if exists <local/initd-kexec-load>

1
apparmor.d/profiles-g-l/jmtpfs
View file

@ -58,6 +58,7 @@ profile jmtpfs @{exec_path} {
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
include if exists <local/jmtpfs_fusermount>
} }
include if exists <local/jmtpfs> include if exists <local/jmtpfs>

1
apparmor.d/profiles-g-l/linux-check-removal
View file

@ -46,6 +46,7 @@ profile linux-check-removal @{exec_path} flags=(complain) {
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r, /usr/share/debconf/templates/adequate.templates r,
include if exists <local/linux-check-removal_frontend>
} }
include if exists <local/linux-check-removal> include if exists <local/linux-check-removal>

2
apparmor.d/profiles-m-r/murmurd
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/murmurd @{exec_path} = @{bin}/murmurd

1
apparmor.d/profiles-m-r/obexfs
View file

@ -48,6 +48,7 @@ profile obexfs @{exec_path} {
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
include if exists <local/obexfs_fusermount>
} }
include if exists <local/obexfs> include if exists <local/obexfs>

1
apparmor.d/profiles-m-r/pam-auth-update
View file

@ -60,6 +60,7 @@ profile pam-auth-update @{exec_path} flags=(complain) {
/etc/shadow r, /etc/shadow r,
include if exists <local/pam-auth-update_frontend>
} }
include if exists <local/pam-auth-update> include if exists <local/pam-auth-update>

2
apparmor.d/profiles-m-r/reprepro
View file

@ -55,7 +55,6 @@ profile reprepro @{exec_path} {
owner @{user_build_dirs}/pbuilder/result/*.deb r, owner @{user_build_dirs}/pbuilder/result/*.deb r,
owner @{user_build_dirs}/pbuilder/result/*.tar.* r, owner @{user_build_dirs}/pbuilder/result/*.tar.* r,
profile gpg { profile gpg {
include <abstractions/base> include <abstractions/base>
@ -66,6 +65,7 @@ profile reprepro @{exec_path} {
owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
include if exists <local/reprepro_gpg>
} }
include if exists <local/reprepro> include if exists <local/reprepro>

3
apparmor.d/profiles-m-r/run-parts
View file

@ -191,6 +191,8 @@ profile run-parts @{exec_path} {
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
/dev/tty@{int} rw, /dev/tty@{int} rw,
include if exists <local/run-parts_motd>
} }
profile kernel { profile kernel {
@ -248,6 +250,7 @@ profile run-parts @{exec_path} {
@{PROC}/devices r, @{PROC}/devices r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
include if exists <local/run-parts_kernel>
} }
include if exists <local/run-parts> include if exists <local/run-parts>

2
apparmor.d/profiles-s-z/sensors-detect
View file

@ -50,7 +50,7 @@ profile sensors-detect @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>
include if exists <local/sensors-detect_udevadm> include if exists <local/sensors-detect_kmod>
} }
profile systemctl { profile systemctl {

3
apparmor.d/profiles-s-z/tasksel
View file

@ -40,13 +40,13 @@ profile tasksel @{exec_path} flags=(complain) {
owner @{tmp}/file* w, owner @{tmp}/file* w,
profile tasksel-tests flags=(complain) { profile tasksel-tests flags=(complain) {
include <abstractions/base> include <abstractions/base>
@{lib}/tasksel/tests/* r, @{lib}/tasksel/tests/* r,
@{sh_path} rix, @{sh_path} rix,
include if exists <local/tasksel_tasksel-tests>
} }
profile frontend flags=(complain) { profile frontend flags=(complain) {
@ -76,6 +76,7 @@ profile tasksel @{exec_path} flags=(complain) {
/etc/shadow r, /etc/shadow r,
include if exists <local/tasksel_frontend>
} }
include if exists <local/tasksel> include if exists <local/tasksel>

1
apparmor.d/profiles-s-z/update-dlocatedb
View file

@ -58,6 +58,7 @@ profile update-dlocatedb @{exec_path} {
@{bin}/gzip rix, @{bin}/gzip rix,
/var/lib/dlocate/dlocatedb.gz rw, /var/lib/dlocate/dlocatedb.gz rw,
include if exists <local/update-dlocatedb_updatedb>
} }
include if exists <local/update-dlocatedb> include if exists <local/update-dlocatedb>

1
apparmor.d/profiles-s-z/update-pciids
View file

@ -62,6 +62,7 @@ profile update-pciids @{exec_path} {
/usr/share/misc/pci.ids.new w, /usr/share/misc/pci.ids.new w,
/usr/share/misc/pci.ids.gz.new w, /usr/share/misc/pci.ids.gz.new w,
include if exists <local/update-pciids_browse>
} }
include if exists <local/update-pciids> include if exists <local/update-pciids>

2
apparmor.d/profiles-s-z/update-smart-drivedb
View file

@ -58,6 +58,7 @@ profile update-smart-drivedb @{exec_path} {
owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/ rw, owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/ rw,
owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/**, owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/**,
include if exists <local/update-smart-drivedb_gpg>
} }
profile browse { profile browse {
@ -88,6 +89,7 @@ profile update-smart-drivedb @{exec_path} {
/var/lib/smartmontools/drivedb/drivedb.h.new{,.raw.asc} w, /var/lib/smartmontools/drivedb/drivedb.h.new{,.raw.asc} w,
include if exists <local/update-smart-drivedb_browse>
} }
include if exists <local/update-smart-drivedb> include if exists <local/update-smart-drivedb>

2
apparmor.d/profiles-s-z/uupdate
View file

@ -50,7 +50,7 @@ profile uupdate @{exec_path} flags=(complain) {
# For package building # For package building
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
include if exists <local/uupdates> include if exists <local/uupdate>
} }
# vim:syntax=apparmor # vim:syntax=apparmor

2
apparmor.d/profiles-s-z/yadifad
View file

@ -2,6 +2,8 @@
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/yadifad @{exec_path} = @{bin}/yadifad

12
apparmor.d/profiles-s-z/youtube-viewer
View file

@ -32,12 +32,6 @@ profile youtube-viewer @{exec_path} {
@{bin}/wget rCx -> wget, @{bin}/wget rCx -> wget,
owner @{user_config_dirs}/youtube-viewer/{,*} rw,
owner @{user_cache_dirs}/youtube-viewer/{,*} rw,
owner @{HOME}/Downloads/youtube-viewer/{,*} rw,
/etc/inputrc r,
# Players # Players
@{bin}/mpv rPUx, @{bin}/mpv rPUx,
@{bin}/vlc rPUx, @{bin}/vlc rPUx,
@ -45,6 +39,11 @@ profile youtube-viewer @{exec_path} {
@{bin}/ffmpeg rPUx, @{bin}/ffmpeg rPUx,
/etc/inputrc r,
owner @{user_config_dirs}/youtube-viewer/{,*} rw,
owner @{user_cache_dirs}/youtube-viewer/{,*} rw,
owner @{HOME}/Downloads/youtube-viewer/{,*} rw,
profile wget { profile wget {
include <abstractions/base> include <abstractions/base>
@ -62,6 +61,7 @@ profile youtube-viewer @{exec_path} {
owner @{HOME}/.wget-hsts r, owner @{HOME}/.wget-hsts r,
owner @{HOME}/wget-log{,.@{int}} rw, owner @{HOME}/wget-log{,.@{int}} rw,
include if exists <local/youtube-viewer_wget>
} }
include if exists <local/youtube-viewer> include if exists <local/youtube-viewer>