feat(profile): more use @{etc_ro} when we know it is needed.

2025-01-25 22:31:29 +01:00 · 2025-01-25 22:31:29 +01:00 · 8806030a0a
commit 8806030a0a
parent 4e73f7209f
30 changed files with 49 additions and 45 deletions
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@ -24,15 +24,14 @@ profile agetty @{exec_path} {

  @{bin}/login rPx,

+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/{,*} r,
  @{etc_rw}/issue r,
  /{,usr/}lib/os-release r,
  /{etc,run,lib,usr/lib}/issue r,
  /{etc,run,lib,usr/lib}/issue.d/{,*} r,
  /etc/inittab r,
-  /etc/login.defs r,
-  /etc/login.defs.d/{,*} r,
  /etc/os-release r,
-  /usr/etc/login.defs r,

        @{run}/credentials/getty@tty@{int}.service/ r,
        @{run}/credentials/serial-getty@ttyS@{int}.service/ r,
--- a/apparmor.d/profiles-a-f/chage
+++ b/apparmor.d/profiles-a-f/chage
@ -20,7 +20,7 @@ profile chage @{exec_path} {

  @{exec_path} mr,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{passwd,shadow} rw,
  /etc/{passwd,shadow}.@{pid} w,
--- a/apparmor.d/profiles-a-f/chpasswd
+++ b/apparmor.d/profiles-a-f/chpasswd
@ -18,8 +18,9 @@ profile chpasswd @{exec_path} {

  @{exec_path} mr,

+  @{etc_ro}/login.defs r,
+
  /etc/.pwd.lock wk,
-  /etc/login.defs r,
  /etc/passwd rw,
  /etc/passwd.@{int} w,
  /etc/passwd.lock l -> /etc/passwd.@{int},
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@ -21,7 +21,8 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
  @{sh_path}         rix,
  @{bin}/apparmor_parser rPx,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,
+
  /etc/firejail/firejail.users r,
  /etc/firejail/firecfg.config r,