From 8ae1118de61b750ae39ceebb40dc420931c07f9d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 28 Apr 2025 21:48:53 +0200
Subject: [PATCH] tests(check): ensure bin is not used instead of sbin.

---
 tests/check.sh  |  11 +
 tests/sbin.list | 738 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 749 insertions(+)
 create mode 100644 tests/sbin.list

diff --git a/tests/check.sh b/tests/check.sh
index 3ddda9827..e35fd8b39 100644
--- a/tests/check.sh
+++ b/tests/check.sh
@@ -106,6 +106,16 @@ _ensure_vim() {
     fi
 }
 
+check_sbin() {
+    echo -e "\033[1m ⋅ \033[0mEnsuring '@{sbin}' is used in all profiles:"
+    while IFS= read -r name; do
+        mapfile -t files < <(grep -l -R "@{bin}/$name" apparmor.d)
+        for file in "${files[@]}"; do
+            _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'"
+        done
+    done <tests/sbin.list
+}
+
 check_profiles() {
     echo -e "\033[1m ⋅ \033[0mChecking if all profiles contain:"
     echo "    - apparmor.d header & license"
@@ -170,5 +180,6 @@ check_abstractions() {
     done
 }
 
+check_sbin
 check_profiles
 check_abstractions
diff --git a/tests/sbin.list b/tests/sbin.list
new file mode 100644
index 000000000..3bc1941d1
--- /dev/null
+++ b/tests/sbin.list
@@ -0,0 +1,738 @@
+aa-audit
+aa-autodep
+aa-cleanprof
+aa-complain
+aa-decode
+aa-disable
+aa-enforce
+aa-genprof
+aa-load
+aa-logprof
+aa-mergeprof
+aa-remove-unknown
+aa-status
+aa-teardown
+aa-unconfined
+aa-update-browser
+accessdb
+acpid
+add-shell
+addgnupghome
+addgroup
+adduser
+agetty
+alsa
+alsa-info
+alsabat-test
+alsactl
+anacron
+apparmor_parser
+apparmor_status
+applygnupgdefaults
+aptd
+argdist-bpfcc
+arp
+arpd
+arptables
+arptables-nft
+arptables-nft-restore
+arptables-nft-save
+arptables-restore
+arptables-save
+aspell-autobuildhash
+audisp-af_unix
+audisp-filter
+audisp-syslog
+auditctl
+auditd
+augenrules
+aureport
+ausearch
+avahi-daemon
+badblocks
+bashreadline-bpfcc
+bashreadline.bt
+bcache-super-show
+bindsnoop-bpfcc
+biolatency-bpfcc
+biolatency-kp.bt
+biolatency.bt
+biolatpcts-bpfcc
+biopattern-bpfcc
+biosdecode
+biosnoop-bpfcc
+biosnoop.bt
+biostacks.bt
+biotop-bpfcc
+bitesize-bpfcc
+bitesize.bt
+blkdeactivate
+blkdiscard
+blkid
+blkpr
+blkzone
+blockdev
+bluetoothd
+bpflist-bpfcc
+bpftool
+bridge
+brltty-setup
+btrfsdist-bpfcc
+btrfsslower-bpfcc
+cache_check
+cache_dump
+cache_metadata_size
+cache_repair
+cache_restore
+cache_writeback
+cachestat-bpfcc
+cachetop-bpfcc
+capable-bpfcc
+capable.bt
+capsh
+cfdisk
+cgdisk
+chat
+chcpu
+check-bios-nx
+chgpasswd
+chmem
+chpasswd
+chroot
+cifs.idmap
+cifs.upcall
+cobjnew-bpfcc
+coldreboot
+compactsnoop-bpfcc
+cpgr
+cppw
+cpudist-bpfcc
+cpuunclaimed-bpfcc
+cpuwalk.bt
+cracklib-check
+cracklib-format
+cracklib-packer
+cracklib-unpacker
+create-cracklib-dict
+criticalstat-bpfcc
+cron
+cryptdisks_start
+cryptdisks_stop
+cryptsetup
+ctrlaltdel
+cups-browsed
+cupsaccept
+cupsctl
+cupsd
+cupsdisable
+cupsenable
+cupsfilter
+cupsreject
+dbslower-bpfcc
+dbstat-bpfcc
+dcb
+dcsnoop-bpfcc
+dcsnoop.bt
+dcstat-bpfcc
+deadlock-bpfcc
+debugfs
+debugfs.reiserfs
+debugreiserfs
+defrag.f2fs
+delgroup
+deluser
+depmod
+devlink
+dhcpcd
+dirtop-bpfcc
+dkms
+dmeventd
+dmidecode
+dmsetup
+dmstats
+dnsmasq
+dosfsck
+dosfslabel
+dpkg-preconfigure
+dpkg-reconfigure
+drsnoop-bpfcc
+dump.exfat
+dump.f2fs
+dumpe2fs
+e2freefrag
+e2fsck
+e2image
+e2label
+e2mmpstatus
+e2scrub
+e2scrub_all
+e2undo
+e4crypt
+e4defrag
+ebtables
+ebtables-nft
+ebtables-nft-restore
+ebtables-nft-save
+ebtables-restore
+ebtables-save
+ebtables-translate
+era_check
+era_dump
+era_invalidate
+era_restore
+ethtool
+execsnoop-bpfcc
+execsnoop.bt
+exfat2img
+exfatlabel
+exitsnoop-bpfcc
+ext4dist-bpfcc
+ext4slower-bpfcc
+f2fs_io
+f2fscrypt
+f2fslabel
+f2fsslower-bpfcc
+faillock
+fatlabel
+fdisk
+fibmap.f2fs
+filefrag
+filegone-bpfcc
+filelife-bpfcc
+fileslower-bpfcc
+filetop-bpfcc
+findfs
+firewalld
+fixparts
+fsadm
+fsck
+fsck.btrfs
+fsck.cramfs
+fsck.exfat
+fsck.ext2
+fsck.ext3
+fsck.ext4
+fsck.f2fs
+fsck.fat
+fsck.minix
+fsck.msdos
+fsck.reiserfs
+fsck.vfat
+fsck.xfs
+fsfreeze
+fstab-decode
+fstrim
+funccount-bpfcc
+funcinterval-bpfcc
+funclatency-bpfcc
+funcslower-bpfcc
+gdisk
+gdm3
+genl
+getcap
+gethostlatency-bpfcc
+gethostlatency.bt
+getpcaps
+getty
+getweb
+gnome-menus-blacklist
+gparted
+groupadd
+groupdel
+groupmod
+grpck
+grpconv
+grpunconv
+grub-install
+grub-macbless
+grub-mkconfig
+grub-mkdevicemap
+grub-probe
+grub-reboot
+grub-set-default
+halt
+hardirqs-bpfcc
+hdparm
+hwclock
+iconvconfig
+ifconfig
+init
+inject-bpfcc
+insmod
+install-sgmlcatalog
+installkernel
+integritysetup
+invoke-rc.d
+ip
+ip6tables
+ip6tables-apply
+ip6tables-legacy
+ip6tables-legacy-restore
+ip6tables-legacy-save
+ip6tables-nft
+ip6tables-nft-restore
+ip6tables-nft-save
+ip6tables-restore
+ip6tables-restore-translate
+ip6tables-save
+ip6tables-translate
+ipmaddr
+ipp-usb
+ippevepcl
+ippeveprinter
+ippeveps
+ipset
+ipset-translate
+iptables
+iptables-apply
+iptables-legacy
+iptables-legacy-restore
+iptables-legacy-save
+iptables-nft
+iptables-nft-restore
+iptables-nft-save
+iptables-restore
+iptables-restore-translate
+iptables-save
+iptables-translate
+iptunnel
+isadump
+isaset
+isosize
+ispell-autobuildhash
+iucode_tool
+iucode-tool
+iw
+javacalls-bpfcc
+javaflow-bpfcc
+javagc-bpfcc
+javaobjnew-bpfcc
+javastat-bpfcc
+javathreads-bpfcc
+kbdrate
+kdump-config
+kexec
+kexec-load-kernel
+key.dns_resolver
+killall5
+killsnoop-bpfcc
+killsnoop.bt
+klockstat-bpfcc
+kpartx
+kvm-ok
+kvmexit-bpfcc
+ldattach
+ldconfig
+ldconfig.real
+libguestfs-make-fixed-appliance
+libgvc6-config-update
+libvirt-dbus
+libvirtd
+llcstat-bpfcc
+loads.bt
+locale-gen
+logrotate
+logsave
+losetup
+lpadmin
+lpc
+lpinfo
+lpmove
+lsmod
+lspcmcia
+luksformat
+lvchange
+lvconvert
+lvcreate
+lvdisplay
+lvextend
+lvm
+lvmconfig
+lvmdiskscan
+lvmdump
+lvmpolld
+lvmsadc
+lvmsar
+lvreduce
+lvremove
+lvrename
+lvresize
+lvs
+lvscan
+make-bcache
+make-ssl-cert
+mdadm
+mdflush-bpfcc
+mdflush.bt
+mdmon
+memleak-bpfcc
+mii-tool
+mkdosfs
+mke2fs
+mkfs
+mkfs.bfs
+mkfs.btrfs
+mkfs.cramfs
+mkfs.exfat
+mkfs.ext2
+mkfs.ext3
+mkfs.ext4
+mkfs.f2fs
+mkfs.fat
+mkfs.minix
+mkfs.msdos
+mkfs.ntfs
+mkfs.reiserfs
+mkfs.vfat
+mkfs.xfs
+mkhomedir_helper
+mkinitramfs
+mklost+found
+mkntfs
+mkreiserfs
+mkswap
+ModemManager
+modinfo
+modprobe
+mount.cifs
+mount.ddi
+mount.fuse
+mount.fuse3
+mount.lowntfs-3g
+mount.ntfs
+mount.ntfs-3g
+mount.smb3
+mountsnoop-bpfcc
+mysqld_qslower-bpfcc
+nameif
+naptime.bt
+needrestart
+netplan
+netqtop-bpfcc
+NetworkManager
+newusers
+nfnl_osf
+nfsdist-bpfcc
+nfsslower-bpfcc
+nft
+nodegc-bpfcc
+nodestat-bpfcc
+nologin
+ntfsclone
+ntfscp
+ntfslabel
+ntfsresize
+ntfsundelete
+offcputime-bpfcc
+offwaketime-bpfcc
+on_ac_power
+oomkill-bpfcc
+oomkill.bt
+opensnoop-bpfcc
+opensnoop.bt
+openvpn
+ownership
+pam_extrausers_chkpwd
+pam_extrausers_update
+pam_getenv
+pam_namespace_helper
+pam_timestamp_check
+pam-auth-update
+paperconfig
+parse.f2fs
+parted
+partprobe
+pccardctl
+pcscd
+pdata_tools
+perlcalls-bpfcc
+perlflow-bpfcc
+perlstat-bpfcc
+phpcalls-bpfcc
+phpflow-bpfcc
+phpstat-bpfcc
+pidpersec-bpfcc
+pidpersec.bt
+pivot_root
+plipconfig
+plymouthd
+poweroff
+ppchcalls-bpfcc
+pppd
+pppdump
+pppoe-discovery
+pppstats
+pptp
+pptpsetup
+profile-bpfcc
+pvchange
+pvck
+pvcreate
+pvdisplay
+pvmove
+pvremove
+pvresize
+pvs
+pvscan
+pwck
+pwconv
+pwhistory_helper
+pwunconv
+pythoncalls-bpfcc
+pythonflow-bpfcc
+pythongc-bpfcc
+pythonstat-bpfcc
+rarp
+rdmaucma-bpfcc
+rdmsr
+readahead-bpfcc
+readprofile
+reboot
+reiserfsck
+reiserfstune
+remove-default-ispell
+remove-default-wordlist
+remove-shell
+request-key
+reset-trace-bpfcc
+resize_reiserfs
+resize.f2fs
+resize2fs
+resolvconf
+rfkill
+rmmod
+rmt
+rmt-tar
+route
+rsyslogd
+rtacct
+rtcwake
+rtkitctl
+rtmon
+rubycalls-bpfcc
+rubyflow-bpfcc
+rubygc-bpfcc
+rubyobjnew-bpfcc
+rubystat-bpfcc
+runlevel
+runqlat-bpfcc
+runqlat.bt
+runqlen-bpfcc
+runqlen.bt
+runqslower-bpfcc
+runuser
+saned
+select-default-ispell
+select-default-wordlist
+sensors-detect
+service
+setcap
+setuids.bt
+setvesablank
+setvtrgb
+sfdisk
+sgdisk
+shadowconfig
+shmsnoop-bpfcc
+shutdown
+slabratetop-bpfcc
+slattach
+sload.f2fs
+smartctl
+smartd
+sofdsnoop-bpfcc
+softirqs-bpfcc
+solisten-bpfcc
+spice-vdagentd
+sshd
+ssllatency.bt
+sslsniff-bpfcc
+sslsnoop.bt
+stackcount-bpfcc
+start-stop-daemon
+statsnoop-bpfcc
+statsnoop.bt
+sudo_logsrvd
+sudo_sendlog
+sulogin
+swapin.bt
+swaplabel
+swapoff
+swapon
+switch_root
+sync-available
+syncsnoop-bpfcc
+syncsnoop.bt
+syscount-bpfcc
+syscount.bt
+sysctl
+tarcat
+tc
+tclcalls-bpfcc
+tclflow-bpfcc
+tclobjnew-bpfcc
+tclstat-bpfcc
+tcpaccept-bpfcc
+tcpaccept.bt
+tcpcong-bpfcc
+tcpconnect-bpfcc
+tcpconnect.bt
+tcpconnlat-bpfcc
+tcpdrop-bpfcc
+tcpdrop.bt
+tcplife-bpfcc
+tcplife.bt
+tcpretrans-bpfcc
+tcpretrans.bt
+tcprtt-bpfcc
+tcpstates-bpfcc
+tcpsubnet-bpfcc
+tcpsynbl-bpfcc
+tcpsynbl.bt
+tcptop-bpfcc
+tcptracer-bpfcc
+tcptraceroute
+tcptraceroute.db
+telinit
+thermald
+thin_check
+thin_delta
+thin_dump
+thin_ls
+thin_metadata_size
+thin_repair
+thin_restore
+thin_rmap
+thin_trim
+threadsnoop-bpfcc
+threadsnoop.bt
+tipc
+tplist-bpfcc
+trace-bpfcc
+traceroute
+ttysnoop-bpfcc
+tune.exfat
+tune2fs
+tunefs.reiserfs
+u-d-c-print-pci-ids
+ucalls
+uflow
+ugc
+umount.udisks2
+undump.bt
+unix_chkpwd
+unix_update
+uobjnew
+update-ca-certificates
+update-catalog
+update-cracklib
+update-default-aspell
+update-default-ispell
+update-default-wordlist
+update-dictcommon-aspell
+update-dictcommon-hunspell
+update-fonts-alias
+update-fonts-dir
+update-fonts-scale
+update-grub
+update-grub2
+update-gsfontmap
+update-icon-caches
+update-ieee-data
+update-inetd
+update-info-dir
+update-initramfs
+update-java-alternatives
+update-locale
+update-mime
+update-passwd
+update-pciids
+update-rc.d
+update-secureboot-policy
+update-shells
+update-smart-drivedb
+update-xmlcatalog
+usb_modeswitch
+usb_modeswitch_dispatcher
+usbmuxd
+useradd
+userdel
+usermod
+ustat
+uthreads
+uuidd
+validlocale
+vcstime
+vdpa
+veritysetup
+vfscount-bpfcc
+vfscount.bt
+vfsstat-bpfcc
+vfsstat.bt
+vgcfgbackup
+vgcfgrestore
+vgchange
+vgck
+vgconvert
+vgcreate
+vgdisplay
+vgexport
+vgextend
+vgimport
+vgimportclone
+vgmerge
+vgmknodes
+vgreduce
+vgremove
+vgrename
+vgs
+vgscan
+vgsplit
+vigr
+vipw
+virtiostat-bpfcc
+virtlockd
+virtlogd
+visudo
+vmcore-dmesg
+vpddecode
+wakeuptime-bpfcc
+wipefs
+wpa_action
+wpa_cli
+wpa_supplicant
+wqlat-bpfcc
+writeback.bt
+wrmsr
+xfs_admin
+xfs_bmap
+xfs_copy
+xfs_db
+xfs_estimate
+xfs_freeze
+xfs_fsr
+xfs_growfs
+xfs_info
+xfs_io
+xfs_logprint
+xfs_mdrestore
+xfs_metadump
+xfs_mkfile
+xfs_ncheck
+xfs_quota
+xfs_repair
+xfs_rtcp
+xfs_scrub
+xfs_scrub_all
+xfs_spaceman
+xfsdist-bpfcc
+xfsdist.bt
+xfsslower-bpfcc
+xtables-legacy-multi
+xtables-monitor
+xtables-nft-multi
+zerofree
+zfsdist-bpfcc
+zfsslower-bpfcc
+zic
+zramctl