refractor(abs): move common and app abstraction to their own abstractions subfolder.

As the number of abstraction is increasing, it is valuable to separate "base" abstractions to programs specific ones.
2024-03-27 15:11:21 +00:00 · 2024-03-27 15:11:21 +00:00 · b88b8b8c26
commit b88b8b8c26
parent 92f83d9e8d
158 changed files with 226 additions and 198 deletions
--- a/apparmor.d/profiles-s-z/sensors-detect
+++ b/apparmor.d/profiles-s-z/sensors-detect
@ -41,7 +41,7 @@ profile sensors-detect @{exec_path} {

  profile udevadm {
    include <abstractions/base>
-    include <abstractions/systemd-common>
+    include <abstractions/common/systemd>

    capability sys_ptrace,

@ -67,7 +67,7 @@ profile sensors-detect @{exec_path} {

  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>

    include if exists <local/sensors-detect_systemctl>
  }
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -112,7 +112,7 @@ profile snap @{exec_path} {

  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
  
    include if exists <local/snap_systemctl>
  }
--- a/apparmor.d/profiles-s-z/snap-failure
+++ b/apparmor.d/profiles-s-z/snap-failure
@ -25,7 +25,7 @@ profile snap-failure @{exec_path} {

  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
  
    include if exists <local/snap-failure_systemctl>
  }
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@ -16,7 +16,7 @@ include <tunables/global>
 profile spotify @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
-  include <abstractions/chromium-common>
+  include <abstractions/common/chromium>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/graphics>
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -11,7 +11,7 @@ include <tunables/global>
 profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
  include <abstractions/base>
  include <abstractions/audio-client>
-  include <abstractions/chromium-common>
+  include <abstractions/common/chromium>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -24,7 +24,7 @@ include <tunables/global>
 profile steam-game @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
-  include <abstractions/bwrap>
+  include <abstractions/common/bwrap>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-write>
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -11,10 +11,9 @@ include <tunables/global>
 profile su @{exec_path} {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
-  include <abstractions/sudo>
+  include <abstractions/app/sudo>

  capability chown,  # pseudo-terminal
-  capability dac_read_search,

  signal (send)    set=(term,kill),
  signal (receive) set=(int,quit,term),
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -11,11 +11,9 @@ include <tunables/global>
 profile sudo @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
-  include <abstractions/sudo>
+  include <abstractions/app/sudo>

  capability chown,
-  capability dac_override,
-  capability dac_read_search,
  capability mknod,
  capability sys_ptrace,

@ -27,32 +25,26 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
  signal (send,receive) peer=cockpit-bridge,
  signal (send) peer=@{systemd},
  signal (send) set=(cont,hup) peer=su,
-  signal (send) set=(winch),
+  # signal (send) set=(winch),
+  signal (send) set=(winch) peer=child-pager,
+  signal (send) set=(winch) peer=journalctl,

-  @{exec_path} mr,
-
-  @{bin}/@{shells}                 rUx,
+  @{bin}/@{shells}                  rUx,
  @{lib}/**                         PUx,
  /opt/*/**                         PUx,
  /snap/snapd/@{int}@{bin}/snap    rPUx,

        /var/db/sudo/lectured/ r,
-        /var/lib/extrausers/shadow r,
-        /var/lib/sudo/lectured/ r,
-        /var/lib/sudo/ts/ rw,
-        /var/lib/sudo/ts/* rwk,
-        /var/log/sudo.log wk,
  owner /var/db/sudo/lectured/@{uid} rw,
-  owner /var/lib/sudo/lectured/* rw,
+  owner /var/lib/extrausers/shadow r,
+
+        /var/lib/sudo/lectured/ r,
+  owner /var/lib/sudo/lectured/@{uid} rw,

  owner @{HOME}/.sudo_as_admin_successful rw,

-        @{run}/ r,
-        @{run}/faillock/{,*} rwk,
-        @{run}/systemd/sessions/* r,
-  owner @{run}/sudo/ rw,
-  owner @{run}/sudo/ts/ rw,
-  owner @{run}/sudo/ts/* rwk,
+  @{run}/ r,
+  @{run}/systemd/sessions/* r,

  include if exists <local/sudo>
 }
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -141,7 +141,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {

  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>

    include if exists <local/udisksd_systemctl>
  }
--- a/apparmor.d/profiles-s-z/x11-xsession
+++ b/apparmor.d/profiles-s-z/x11-xsession
@ -114,7 +114,7 @@ profile x11-xsession @{exec_path} {

  profile udevadm {
    include <abstractions/base>
-    include <abstractions/systemd-common>
+    include <abstractions/common/systemd>

    @{bin}/udevadm mr,