felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add debconf-escape, update dpkg-scripts.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-25 15:07:27 +02:00
parent 97fb69979f
commit 83b5b08c7e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
3 changed files with 34 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

19
apparmor.d/groups/apt/debconf-escape Normal file
View file

@ -0,0 +1,19 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/debconf-escape
profile debconf-escape @{exec_path} {
include <abstractions/base>
include <abstractions/perl>
@{exec_path} mr,
include if exists <local/debconf-escape>
}
# vim:syntax=apparmor

15
apparmor.d/groups/apt/dpkg-scripts
View file

@ -26,11 +26,12 @@ profile dpkg-scripts @{exec_path} {
@{coreutils_path} rix, @{coreutils_path} rix,
@{bin}/run-parts rix, @{bin}/run-parts rix,
@{bin}/setpriv ix,
@{bin}/envsubst ix, @{bin}/envsubst ix,
@{bin}/file ix,
@{bin}/getent ix, @{bin}/getent ix,
@{bin}/gzip ix, @{bin}/gzip ix,
@{bin}/helpztags ix, @{bin}/helpztags ix,
@{bin}/setpriv ix,
@{bin}/tput ix, @{bin}/tput ix,
@{bin}/zcat ix, @{bin}/zcat ix,
@{lib}/ubuntu-advantage/cloud-id-shim.sh ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix,
@ -97,6 +98,18 @@ profile dpkg-scripts @{exec_path} {
capability sys_ptrace, capability sys_ptrace,
capability sys_resource, capability sys_resource,
@{bin}/systemd-tty-ask-password-agent Px,
@{pager_path} Px -> child-pager,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/system.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
@{run}/utmp rk, @{run}/utmp rk,
include if exists <local/dpkg-scripts_systemctl> include if exists <local/dpkg-scripts_systemctl>

1
dists/flags/main.flags
View file

@ -77,6 +77,7 @@ cupsd attach_disconnected,complain
ddcutil complain ddcutil complain
deb-systemd-helper complain deb-systemd-helper complain
deb-systemd-invoke complain deb-systemd-invoke complain
debconf-escape complain
decibels complain decibels complain
dino attach_disconnected,complain dino attach_disconnected,complain
discord complain discord complain