feat(profile): more use @{etc_ro} when we know it is needed.

2025-01-25 22:31:29 +01:00 · 2025-01-25 22:31:29 +01:00 · 8806030a0a
commit 8806030a0a
parent 4e73f7209f
30 changed files with 49 additions and 45 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -181,12 +181,12 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  /var/lib/*/ r,
  /var/tmp/ r,

+  @{etc_ro}/environment r,
+  @{etc_ro}/environment.d/{,**} r,
  /etc/binfmt.d/{,**} r,
  /etc/conf.d/{,**} r,
  /etc/credstore.encrypted/{,**} r,
  /etc/credstore/{,**} r,
-  /etc/environment r,
-  /etc/environment.d/{,**} r,
  /etc/machine-id r,
  /etc/modules-load.d/{,**} r,
  /etc/systemd/{,**} r,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -62,6 +62,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  /usr/share/distro-info/* r,

+  @{etc_ro}/security/capability.conf r,
  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/debian_version r,
@ -79,7 +80,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /etc/pki/fwupd-metadata/{,**} r,
  /etc/pki/fwupd/{,**} r,
  /etc/profile.d/* r,
-  /etc/security/capability.conf r,
  /etc/update-manager/{,**} r,
  /etc/update-motd.d/* r,
  /etc/vmware-tools/* r,
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -28,10 +28,10 @@ profile crontab @{exec_path} {
  @{sh_path}             rix,
  @{editor_path}         rCx -> editor,

+  @{etc_ro}/environment r,
+  @{etc_ro}/security/*.conf r,
  /etc/cron.{allow,deny} r,
-  /etc/environment r,
  /etc/pam.d/* r,
-  /etc/security/*.conf r,

  /var/spool/cron/ r,
  /var/spool/cron/** rw,
--- a/apparmor.d/groups/display-manager/lightdm
+++ b/apparmor.d/groups/display-manager/lightdm
@ -56,11 +56,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xgreeters/{,**} r,

+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*} r,
  /etc/default/locale r,
-  /etc/environment r,
  /etc/lightdm/{,**} r,
  /etc/machine-id r,
-  /etc/security/limits.d/{,*} r,
  /etc/shells r,

  /var/cache/lightdm/dmrc/*.dmrc* rw,
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -46,8 +46,8 @@ profile gnome-initial-setup @{exec_path} {
  /usr/share/gnome-initial-setup/{,**} r,
  /usr/share/xml/iso-codes/{,**} r,

-  /etc/security/pwquality.conf r,
-  /etc/security/pwquality.conf.d/{,**} r,
+  @{etc_ro}/security/pwquality.conf r,
+  @{etc_ro}/security/pwquality.conf.d/{,**} r,
  /etc/timezone r,

  /etc/gdm{,3}/custom.conf r,
--- a/apparmor.d/groups/hyprland/hyprlock
+++ b/apparmor.d/groups/hyprland/hyprlock
@ -19,7 +19,7 @@ profile hyprlock @{exec_path} {

  @{exec_path} mr,

-  /etc/security/faillock.conf r,
+  @{etc_ro}/security/faillock.conf r,
  /etc/shells r,

  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@ -51,12 +51,13 @@ profile kscreenlocker_greet @{exec_path} {
  /usr/share/xsessions/{,*.desktop} r,
  /usr/share/hunspell/* r,

-  /{usr/,}etc/environment r,
-  /{usr/,}etc/login.defs r,
-  /{usr/,}etc/login.defs.d/ r,
-  /{usr/,}etc/security/*.conf r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/ r,
+  @{etc_ro}/security/*.conf r,
  /etc/fstab r,
  /etc/machine-id r,
+  /etc/os-release r,
  /etc/pam.d/* r,
  /etc/shells r,
  /etc/xdg/kscreenlockerrc r,
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -128,9 +128,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  /etc/X11/xinit/xinitrc.d/{,*} r,

-  /{usr/,}etc/environment r,
-  /{usr/,}etc/security/limits.d/{,*.conf} r,
-  /{usr/,}etc/X11/Xmodmap r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
+  @{etc_ro}/X11/Xmodmap r,
  /etc/debuginfod/{,*} r,
  /etc/manpath.config r,
  /etc/default/locale r,
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@ -33,8 +33,8 @@ profile apport @{exec_path} flags=(attach_disconnected) {

  /usr/share/apport/{,**} r,

+  @{etc_ro}/login.defs r,
  /etc/apport/report-ignore/{,**} r,
-  /etc/login.defs r,

  /var/lib/dpkg/info/ r,
  /var/lib/dpkg/info/*.list r,
--- a/apparmor.d/groups/ubuntu/apport-checkreports
+++ b/apparmor.d/groups/ubuntu/apport-checkreports
@ -20,9 +20,9 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected)  {
  /usr/share/dpkg/tupletable r,
  /usr/share/apport/ r,

+  @{etc_ro}/login.defs r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/default/apport r,
-  /etc/login.defs r,

  /var/crash/ r,

--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -67,9 +67,9 @@ profile cockpit-bridge @{exec_path} {
  /usr/share/file/** r,
  /usr/share/iproute2/* r,

+  @{etc_ro}/login.defs r,
  /etc/cockpit/{,**} r,
  /etc/httpd/conf/mime.types r,
-  /etc/login.defs r,
  /etc/machine-id r,
  /etc/mime.types r,
  /etc/motd r,