feat(profiles): use /etc read only variable: etc_ro

2023-02-04 23:34:29 +00:00 · 2023-02-04 23:34:29 +00:00 · bac87f9547
commit bac87f9547
parent 6e56cfccc9
19 changed files with 33 additions and 32 deletions
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -40,8 +40,8 @@ profile cron @{exec_path} {
  /etc/cron.d/{,*} r,
  /etc/crontab r,
  /etc/default/locale r,
-  /etc/environment r,
-  /etc/security/limits.d/{,**} r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,**} r,

  /var/spool/cron/crontabs/{,*} r,

--- a/apparmor.d/groups/cron/cron-exim4-base
+++ b/apparmor.d/groups/cron/cron-exim4-base
@ -50,7 +50,7 @@ profile cron-exim4-base @{exec_path} {
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/1/limits r,

-  /etc/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/ r,

  include if exists <local/cron-exim4-base>
 }
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@ -100,7 +100,7 @@ profile cron-popularity-contest @{exec_path} {
    owner @{PROC}/@{pids}/loginuid r,
          @{PROC}/1/limits r,

-    /etc/security/limits.d/ r,
+    @{etc_ro}/security/limits.d/ r,

    /var/log/popularity-contest.new w,