felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): rewrite the pacman profile.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-11 23:15:42 +02:00
parent ff8efaecd2
commit 98063fa771
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 100 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

165
apparmor.d/groups/pacman/pacman
View file

@ -46,71 +46,49 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/gpgconf rCx -> gpg,
@{bin}/gpgsm rCx -> gpg,
# Pacman's keyring
@{bin}/gpg{,2} Cx -> gpg,
@{bin}/gpgconf Cx -> gpg,
@{bin}/gpgsm Cx -> gpg,
# Pacman hooks & install scripts
@{sh_path} rix,
@{coreutils_path} rix,
@{bin}/appstreamcli rPx,
@{bin}/arch-audit rPx,
@{bin}/archlinux-java rPx,
@{bin}/bootctl rPx,
@{bin}/cert-sync rPx,
@{bin}/checkrebuild rPUx,
@{bin}/dconf rPx,
@{bin}/dot rix,
@{bin}/fc-cache{,-32} rPx,
@{bin}/filecap rix,
@{bin}/gdbus rix,
@{bin}/gdk-pixbuf-query-loaders rPx,
@{bin}/getent rix,
@{bin}/gettext rix,
@{bin}/ghc-pkg-@{version} rPx,
@{bin}/gio-querymodules rPx,
@{bin}/glib-compile-schemas rPx,
@{sbin}/groupadd rPx,
@{bin}/gtk-query-immodules-* rPx,
@{bin}/gtk{,4}-update-icon-cache rPx,
@{sbin}/iconvconfig rix,
@{bin}/install-catalog rPx,
@{bin}/install-info rPx,
@{sbin}/iscsi-iname rix,
@{bin}/journalctl rPx,
@{bin}/killall rix,
@{sbin}/ldconfig rix,
@{sbin}/locale-gen rPx,
@{bin}/limine-install rPUx,
@{bin}/mkinitcpio rPx,
@{sbin}/needrestart rPx,
@{bin}/pacdiff rPx,
@{bin}/pacman-key rPx,
@{bin}/pkgfile rPUx,
@{bin}/pkill rix,
@{bin}/rsync rix,
@{bin}/sbctl rPx,
@{sbin}/setcap rix,
@{bin}/setfacl rix,
@{sbin}/sysctl rPx,
@{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-* rPx,
@{bin}/tput rix,
@{bin}/update-ca-trust rPx,
@{bin}/update-desktop-database rPx,
@{sbin}/update-grub rPx,
@{bin}/update-mime-database rPx,
@{bin}/vercmp rix,
@{bin}/which{,.debianutils} rix,
@{bin}/xmlcatalog rix,
@{lib}/systemd/systemd-* rPx,
@{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx,
@{lib}/vlc/vlc-cache-gen rPx,
/opt/Mullvad*/resources/mullvad-setup rPx,
/usr/share/code-features/patch.py rPx,
/usr/share/code-marketplace/patch.py rPx,
/usr/share/libalpm/scripts/* rPUx,
/usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx,
# Common program found in hooks & install scripts
@{sh_path} rix,
@{coreutils_path} rix,
@{bin}/dot ix,
@{bin}/filecap ix,
@{bin}/getent ix,
@{bin}/gettext ix,
@{bin}/gzip ix,
@{bin}/rsync ix,
@{bin}/setfacl ix,
@{bin}/tput ix,
@{bin}/vercmp ix,
@{bin}/which{,.debianutils} ix,
@{bin}/xmlcatalog ix,
@{sbin}/iconvconfig ix,
@{sbin}/iscsi-iname ix,
@{sbin}/setcap ix,
@{bin}/dbus-send Cx -> bus,
@{bin}/gdbus Cx -> bus,
@{bin}/killall Cx -> pkill,
@{bin}/kmod Cx -> kmod,
@{bin}/pkill Cx -> pkill,
@{bin}/systemctl Cx -> systemctl,
@{sbin}/ldconfig Cx -> ldconfig,
#aa:lint ignore=too-wide
# Hooks & install scripts can legitimately start/restart anything
# PU is only used as a safety fallback.
@{bin}/** PUx,
@{sbin}/** PUx,
/opt/*/** PUx,
/etc/** PUx,
/usr/share/** PUx,
@{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px,
@{lib}/systemd/systemd-* Px,
@{lib}/vlc/vlc-cache-gen Px,
# For shell pwd, keept as it can annoy users to see error in pacman output
/**/ r,
@ -196,6 +174,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
capability dac_read_search,
capability sys_resource,
ptrace read peer=@{p_systemd},
signal send set=cont peer=child-pager,
signal send set=(cont term) peer=systemd-tty-ask-password-agent,
signal receive set=(term winch) peer=makepkg//sudo,
@ -207,11 +187,66 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
/{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/*.journal* r,
/{run,var}/log/journal/@{hex32}/system.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
include if exists <local/pacman_systemctl>
}
profile bus {
include <abstractions/base>
include <abstractions/app/bus>
include <abstractions/bus-system>
@{bin}/gdbus rix,
include if exists <local/pacman_bus>
}
profile pkill {
include <abstractions/base>
include <abstractions/app/pgrep>
@{bin}/killall mr,
@{bin}/pkill mr,
include if exists <local/pacman_pkill>
}
profile kmod {
include <abstractions/base>
include <abstractions/app/kmod>
include if exists <local/pacman_kmod>
}
profile ldconfig {
include <abstractions/base>
include <abstractions/consoles>
@{sh_path} rix,
@{sbin}/ldconfig mrix,
@{lib}/ r,
/usr/local/ r,
/usr/local/lib/ r,
/opt/cuda/**/@{lib}/ r,
/opt/cuda/**/@{lib}/@{multiarch}/ r,
/etc/ld.so.cache rw,
/etc/ld.so.cache~ rw,
/var/cache/ldconfig/ rw,
owner /var/cache/ldconfig/aux-cache* rw,
include if exists <local/pacman_ldconfig>
}
include if exists <usr/pacman.d>
include if exists <local/pacman>
}