feat(profile): more use @{etc_ro} when we know it is needed.

2025-01-25 22:31:29 +01:00 · 2025-01-25 22:31:29 +01:00 · 8806030a0a
commit 8806030a0a
parent 4e73f7209f
30 changed files with 49 additions and 45 deletions
--- a/apparmor.d/profiles-m-r/newgrp
+++ b/apparmor.d/profiles-m-r/newgrp
@ -23,9 +23,9 @@ profile newgrp @{exec_path} {

  @{bin}/@{shells}     rUx,

-  /etc/{passwd,group,shadow,gshadow} r,
+  @{etc_ro}/login.defs r,

-  /etc/login.defs r,
+  /etc/{passwd,group,shadow,gshadow} r,

  owner @{PROC}/@{pid}/loginuid r,

--- a/apparmor.d/profiles-m-r/pwck
+++ b/apparmor.d/profiles-m-r/pwck
@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) {

  @{bin}/nscd rix,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,
+
  /etc/.pwd.lock wk,
  /etc/passwd rw,
  /etc/passwd.@{int} rw,