refractor: move more profiles to groups.
This commit is contained in:
Alexandre Pujol
parent
33681e14f2
commit
8ba3dbd90f
38 changed files with 3 additions and 2 deletions
38
apparmor.d/groups/utils/dmesg
Normal file
38
apparmor.d/groups/utils/dmesg
Normal file
|
|
@ -0,0 +1,38 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/dmesg
|
||||
profile dmesg @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
capability dac_read_search,
|
||||
capability syslog,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{pager_path} rPx -> child-pager,
|
||||
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
@{PROC}/sys/kernel/pid_max r,
|
||||
|
||||
/dev/kmsg r,
|
||||
|
||||
deny @{bin}/{,*/} r,
|
||||
deny /{usr/,}local/{,s}bin/ r,
|
||||
deny /var/lib/flatpak/exports/bin/ r,
|
||||
deny @{HOME}/.go/bin/ r,
|
||||
deny @{user_bin_dirs}/ r,
|
||||
|
||||
include if exists <local/dmesg>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
44
apparmor.d/groups/utils/whereis
Normal file
44
apparmor.d/groups/utils/whereis
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2022 Jeroen Rijken
|
||||
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/whereis
|
||||
profile whereis @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,*/} r,
|
||||
@{lib}/ r,
|
||||
@{lib}/go-*/bin/ r,
|
||||
/usr/{local/,}games/ r,
|
||||
/usr/include/ r,
|
||||
/usr/local/{,etc/,lib/} r,
|
||||
/usr/local/{s,}bin/{,*/} r,
|
||||
/usr/share/ r,
|
||||
/usr/share/info/{**,} r,
|
||||
/usr/share/man/{**,} r,
|
||||
/usr/src/{**,} r,
|
||||
|
||||
/opt/ r,
|
||||
/opt/**/bin/ r,
|
||||
/opt/**/lib/ r,
|
||||
|
||||
@{etc_ro}/ r,
|
||||
|
||||
/snap/bin/ r,
|
||||
/var/lib/flatpak/exports/bin/ r,
|
||||
|
||||
owner @{HOME}/{.,}go/bin/ r,
|
||||
owner @{user_bin_dirs}/ r,
|
||||
|
||||
include if exists <local/whereis>
|
||||
}
|
||||
|
||||
# vim:syntax=apparmor
|
||||
Loading…
Add table
Add a link
Reference in a new issue