felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tests(check): ensure bin is not used instead of sbin.

Browse source
This commit is contained in:
Alexandre Pujol 2025-04-28 21:48:53 +02:00
parent fd17a77b17
commit 8ae1118de6
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 749 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
tests/check.sh
View file

@ -106,6 +106,16 @@ _ensure_vim() {
fi
}
check_sbin() {
echo -e "\033[1m ⋅ \033[0mEnsuring '@{sbin}' is used in all profiles:"
while IFS= read -r name; do
mapfile -t files < <(grep -l -R "@{bin}/$name" apparmor.d)
for file in "${files[@]}"; do
_die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'"
done
done <tests/sbin.list
}
check_profiles() {
echo -e "\033[1m ⋅ \033[0mChecking if all profiles contain:"
echo " - apparmor.d header & license"
@ -170,5 +180,6 @@ check_abstractions() {
done
}
check_sbin
check_profiles
check_abstractions

738
tests/sbin.list Normal file
View file

@ -0,0 +1,738 @@
aa-audit
aa-autodep
aa-cleanprof
aa-complain
aa-decode
aa-disable
aa-enforce
aa-genprof
aa-load
aa-logprof
aa-mergeprof
aa-remove-unknown
aa-status
aa-teardown
aa-unconfined
aa-update-browser
accessdb
acpid
add-shell
addgnupghome
addgroup
adduser
agetty
alsa
alsa-info
alsabat-test
alsactl
anacron
apparmor_parser
apparmor_status
applygnupgdefaults
aptd
argdist-bpfcc
arp
arpd
arptables
arptables-nft
arptables-nft-restore
arptables-nft-save
arptables-restore
arptables-save
aspell-autobuildhash
audisp-af_unix
audisp-filter
audisp-syslog
auditctl
auditd
augenrules
aureport
ausearch
avahi-daemon
badblocks
bashreadline-bpfcc
bashreadline.bt
bcache-super-show
bindsnoop-bpfcc
biolatency-bpfcc
biolatency-kp.bt
biolatency.bt
biolatpcts-bpfcc
biopattern-bpfcc
biosdecode
biosnoop-bpfcc
biosnoop.bt
biostacks.bt
biotop-bpfcc
bitesize-bpfcc
bitesize.bt
blkdeactivate
blkdiscard
blkid
blkpr
blkzone
blockdev
bluetoothd
bpflist-bpfcc
bpftool
bridge
brltty-setup
btrfsdist-bpfcc
btrfsslower-bpfcc
cache_check
cache_dump
cache_metadata_size
cache_repair
cache_restore
cache_writeback
cachestat-bpfcc
cachetop-bpfcc
capable-bpfcc
capable.bt
capsh
cfdisk
cgdisk
chat
chcpu
check-bios-nx
chgpasswd
chmem
chpasswd
chroot
cifs.idmap
cifs.upcall
cobjnew-bpfcc
coldreboot
compactsnoop-bpfcc
cpgr
cppw
cpudist-bpfcc
cpuunclaimed-bpfcc
cpuwalk.bt
cracklib-check
cracklib-format
cracklib-packer
cracklib-unpacker
create-cracklib-dict
criticalstat-bpfcc
cron
cryptdisks_start
cryptdisks_stop
cryptsetup
ctrlaltdel
cups-browsed
cupsaccept
cupsctl
cupsd
cupsdisable
cupsenable
cupsfilter
cupsreject
dbslower-bpfcc
dbstat-bpfcc
dcb
dcsnoop-bpfcc
dcsnoop.bt
dcstat-bpfcc
deadlock-bpfcc
debugfs
debugfs.reiserfs
debugreiserfs
defrag.f2fs
delgroup
deluser
depmod
devlink
dhcpcd
dirtop-bpfcc
dkms
dmeventd
dmidecode
dmsetup
dmstats
dnsmasq
dosfsck
dosfslabel
dpkg-preconfigure
dpkg-reconfigure
drsnoop-bpfcc
dump.exfat
dump.f2fs
dumpe2fs
e2freefrag
e2fsck
e2image
e2label
e2mmpstatus
e2scrub
e2scrub_all
e2undo
e4crypt
e4defrag
ebtables
ebtables-nft
ebtables-nft-restore
ebtables-nft-save
ebtables-restore
ebtables-save
ebtables-translate
era_check
era_dump
era_invalidate
era_restore
ethtool
execsnoop-bpfcc
execsnoop.bt
exfat2img
exfatlabel
exitsnoop-bpfcc
ext4dist-bpfcc
ext4slower-bpfcc
f2fs_io
f2fscrypt
f2fslabel
f2fsslower-bpfcc
faillock
fatlabel
fdisk
fibmap.f2fs
filefrag
filegone-bpfcc
filelife-bpfcc
fileslower-bpfcc
filetop-bpfcc
findfs
firewalld
fixparts
fsadm
fsck
fsck.btrfs
fsck.cramfs
fsck.exfat
fsck.ext2
fsck.ext3
fsck.ext4
fsck.f2fs
fsck.fat
fsck.minix
fsck.msdos
fsck.reiserfs
fsck.vfat
fsck.xfs
fsfreeze
fstab-decode
fstrim
funccount-bpfcc
funcinterval-bpfcc
funclatency-bpfcc
funcslower-bpfcc
gdisk
gdm3
genl
getcap
gethostlatency-bpfcc
gethostlatency.bt
getpcaps
getty
getweb
gnome-menus-blacklist
gparted
groupadd
groupdel
groupmod
grpck
grpconv
grpunconv
grub-install
grub-macbless
grub-mkconfig
grub-mkdevicemap
grub-probe
grub-reboot
grub-set-default
halt
hardirqs-bpfcc
hdparm
hwclock
iconvconfig
ifconfig
init
inject-bpfcc
insmod
install-sgmlcatalog
installkernel
integritysetup
invoke-rc.d
ip
ip6tables
ip6tables-apply
ip6tables-legacy
ip6tables-legacy-restore
ip6tables-legacy-save
ip6tables-nft
ip6tables-nft-restore
ip6tables-nft-save
ip6tables-restore
ip6tables-restore-translate
ip6tables-save
ip6tables-translate
ipmaddr
ipp-usb
ippevepcl
ippeveprinter
ippeveps
ipset
ipset-translate
iptables
iptables-apply
iptables-legacy
iptables-legacy-restore
iptables-legacy-save
iptables-nft
iptables-nft-restore
iptables-nft-save
iptables-restore
iptables-restore-translate
iptables-save
iptables-translate
iptunnel
isadump
isaset
isosize
ispell-autobuildhash
iucode_tool
iucode-tool
iw
javacalls-bpfcc
javaflow-bpfcc
javagc-bpfcc
javaobjnew-bpfcc
javastat-bpfcc
javathreads-bpfcc
kbdrate
kdump-config
kexec
kexec-load-kernel
key.dns_resolver
killall5
killsnoop-bpfcc
killsnoop.bt
klockstat-bpfcc
kpartx
kvm-ok
kvmexit-bpfcc
ldattach
ldconfig
ldconfig.real
libguestfs-make-fixed-appliance
libgvc6-config-update
libvirt-dbus
libvirtd
llcstat-bpfcc
loads.bt
locale-gen
logrotate
logsave
losetup
lpadmin
lpc
lpinfo
lpmove
lsmod
lspcmcia
luksformat
lvchange
lvconvert
lvcreate
lvdisplay
lvextend
lvm
lvmconfig
lvmdiskscan
lvmdump
lvmpolld
lvmsadc
lvmsar
lvreduce
lvremove
lvrename
lvresize
lvs
lvscan
make-bcache
make-ssl-cert
mdadm
mdflush-bpfcc
mdflush.bt
mdmon
memleak-bpfcc
mii-tool
mkdosfs
mke2fs
mkfs
mkfs.bfs
mkfs.btrfs
mkfs.cramfs
mkfs.exfat
mkfs.ext2
mkfs.ext3
mkfs.ext4
mkfs.f2fs
mkfs.fat
mkfs.minix
mkfs.msdos
mkfs.ntfs
mkfs.reiserfs
mkfs.vfat
mkfs.xfs
mkhomedir_helper
mkinitramfs
mklost+found
mkntfs
mkreiserfs
mkswap
ModemManager
modinfo
modprobe
mount.cifs
mount.ddi
mount.fuse
mount.fuse3
mount.lowntfs-3g
mount.ntfs
mount.ntfs-3g
mount.smb3
mountsnoop-bpfcc
mysqld_qslower-bpfcc
nameif
naptime.bt
needrestart
netplan
netqtop-bpfcc
NetworkManager
newusers
nfnl_osf
nfsdist-bpfcc
nfsslower-bpfcc
nft
nodegc-bpfcc
nodestat-bpfcc
nologin
ntfsclone
ntfscp
ntfslabel
ntfsresize
ntfsundelete
offcputime-bpfcc
offwaketime-bpfcc
on_ac_power
oomkill-bpfcc
oomkill.bt
opensnoop-bpfcc
opensnoop.bt
openvpn
ownership
pam_extrausers_chkpwd
pam_extrausers_update
pam_getenv
pam_namespace_helper
pam_timestamp_check
pam-auth-update
paperconfig
parse.f2fs
parted
partprobe
pccardctl
pcscd
pdata_tools
perlcalls-bpfcc
perlflow-bpfcc
perlstat-bpfcc
phpcalls-bpfcc
phpflow-bpfcc
phpstat-bpfcc
pidpersec-bpfcc
pidpersec.bt
pivot_root
plipconfig
plymouthd
poweroff
ppchcalls-bpfcc
pppd
pppdump
pppoe-discovery
pppstats
pptp
pptpsetup
profile-bpfcc
pvchange
pvck
pvcreate
pvdisplay
pvmove
pvremove
pvresize
pvs
pvscan
pwck
pwconv
pwhistory_helper
pwunconv
pythoncalls-bpfcc
pythonflow-bpfcc
pythongc-bpfcc
pythonstat-bpfcc
rarp
rdmaucma-bpfcc
rdmsr
readahead-bpfcc
readprofile
reboot
reiserfsck
reiserfstune
remove-default-ispell
remove-default-wordlist
remove-shell
request-key
reset-trace-bpfcc
resize_reiserfs
resize.f2fs
resize2fs
resolvconf
rfkill
rmmod
rmt
rmt-tar
route
rsyslogd
rtacct
rtcwake
rtkitctl
rtmon
rubycalls-bpfcc
rubyflow-bpfcc
rubygc-bpfcc
rubyobjnew-bpfcc
rubystat-bpfcc
runlevel
runqlat-bpfcc
runqlat.bt
runqlen-bpfcc
runqlen.bt
runqslower-bpfcc
runuser
saned
select-default-ispell
select-default-wordlist
sensors-detect
service
setcap
setuids.bt
setvesablank
setvtrgb
sfdisk
sgdisk
shadowconfig
shmsnoop-bpfcc
shutdown
slabratetop-bpfcc
slattach
sload.f2fs
smartctl
smartd
sofdsnoop-bpfcc
softirqs-bpfcc
solisten-bpfcc
spice-vdagentd
sshd
ssllatency.bt
sslsniff-bpfcc
sslsnoop.bt
stackcount-bpfcc
start-stop-daemon
statsnoop-bpfcc
statsnoop.bt
sudo_logsrvd
sudo_sendlog
sulogin
swapin.bt
swaplabel
swapoff
swapon
switch_root
sync-available
syncsnoop-bpfcc
syncsnoop.bt
syscount-bpfcc
syscount.bt
sysctl
tarcat
tc
tclcalls-bpfcc
tclflow-bpfcc
tclobjnew-bpfcc
tclstat-bpfcc
tcpaccept-bpfcc
tcpaccept.bt
tcpcong-bpfcc
tcpconnect-bpfcc
tcpconnect.bt
tcpconnlat-bpfcc
tcpdrop-bpfcc
tcpdrop.bt
tcplife-bpfcc
tcplife.bt
tcpretrans-bpfcc
tcpretrans.bt
tcprtt-bpfcc
tcpstates-bpfcc
tcpsubnet-bpfcc
tcpsynbl-bpfcc
tcpsynbl.bt
tcptop-bpfcc
tcptracer-bpfcc
tcptraceroute
tcptraceroute.db
telinit
thermald
thin_check
thin_delta
thin_dump
thin_ls
thin_metadata_size
thin_repair
thin_restore
thin_rmap
thin_trim
threadsnoop-bpfcc
threadsnoop.bt
tipc
tplist-bpfcc
trace-bpfcc
traceroute
ttysnoop-bpfcc
tune.exfat
tune2fs
tunefs.reiserfs
u-d-c-print-pci-ids
ucalls
uflow
ugc
umount.udisks2
undump.bt
unix_chkpwd
unix_update
uobjnew
update-ca-certificates
update-catalog
update-cracklib
update-default-aspell
update-default-ispell
update-default-wordlist
update-dictcommon-aspell
update-dictcommon-hunspell
update-fonts-alias
update-fonts-dir
update-fonts-scale
update-grub
update-grub2
update-gsfontmap
update-icon-caches
update-ieee-data
update-inetd
update-info-dir
update-initramfs
update-java-alternatives
update-locale
update-mime
update-passwd
update-pciids
update-rc.d
update-secureboot-policy
update-shells
update-smart-drivedb
update-xmlcatalog
usb_modeswitch
usb_modeswitch_dispatcher
usbmuxd
useradd
userdel
usermod
ustat
uthreads
uuidd
validlocale
vcstime
vdpa
veritysetup
vfscount-bpfcc
vfscount.bt
vfsstat-bpfcc
vfsstat.bt
vgcfgbackup
vgcfgrestore
vgchange
vgck
vgconvert
vgcreate
vgdisplay
vgexport
vgextend
vgimport
vgimportclone
vgmerge
vgmknodes
vgreduce
vgremove
vgrename
vgs
vgscan
vgsplit
vigr
vipw
virtiostat-bpfcc
virtlockd
virtlogd
visudo
vmcore-dmesg
vpddecode
wakeuptime-bpfcc
wipefs
wpa_action
wpa_cli
wpa_supplicant
wqlat-bpfcc
writeback.bt
wrmsr
xfs_admin
xfs_bmap
xfs_copy
xfs_db
xfs_estimate
xfs_freeze
xfs_fsr
xfs_growfs
xfs_info
xfs_io
xfs_logprint
xfs_mdrestore
xfs_metadump
xfs_mkfile
xfs_ncheck
xfs_quota
xfs_repair
xfs_rtcp
xfs_scrub
xfs_scrub_all
xfs_spaceman
xfsdist-bpfcc
xfsdist.bt
xfsslower-bpfcc
xtables-legacy-multi
xtables-monitor
xtables-nft-multi
zerofree
zfsdist-bpfcc
zfsslower-bpfcc
zic
zramctl