felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(abs): update debconf abs.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-24 17:48:15 +02:00
parent 5a807565f7
commit baeecbffcb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
12 changed files with 35 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/abstractions/common/debconf
View file

@ -9,11 +9,18 @@
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/perl> include <abstractions/perl>
@{sh_path} rix,
@{bin}/locale ix,
@{bin}/whiptail Px,
/usr/share/debconf/frontend rix, /usr/share/debconf/frontend rix,
/usr/share/debconf/confmodule r, /usr/share/debconf/confmodule r,
/etc/debconf.conf r, /etc/debconf.conf r,
/var/ r,
/var/cache/ r,
/var/cache/debconf/ r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
include if exists <abstractions/common/debconf.d> include if exists <abstractions/common/debconf.d>

5
apparmor.d/groups/apt/debconf-frontend
View file

@ -20,9 +20,7 @@ profile debconf-frontend @{exec_path} flags=(complain) {
@{exec_path} r, @{exec_path} r,
@{sh_path} rix,
@{bin}/hostname ix, @{bin}/hostname ix,
@{bin}/locale ix,
@{bin}/lsb_release Px -> lsb_release, @{bin}/lsb_release Px -> lsb_release,
@{bin}/stty ix, @{bin}/stty ix,
@{sbin}/update-secureboot-policy Px, @{sbin}/update-secureboot-policy Px,
@ -32,7 +30,6 @@ profile debconf-frontend @{exec_path} flags=(complain) {
@{bin}/debconf-apt-progress Px, @{bin}/debconf-apt-progress Px,
@{bin}/linux-check-removal Px, @{bin}/linux-check-removal Px,
@{bin}/ucf Px, @{bin}/ucf Px,
@{bin}/whiptail Px,
@{sbin}/aspell-autobuildhash Px, @{sbin}/aspell-autobuildhash Px,
@{sbin}/pam-auth-update Px, @{sbin}/pam-auth-update Px,
@{lib}/tasksel/tasksel-debconf Px -> tasksel, @{lib}/tasksel/tasksel-debconf Px -> tasksel,
@ -45,7 +42,7 @@ profile debconf-frontend @{exec_path} flags=(complain) {
# Package maintainer's scripts # Package maintainer's scripts
/var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.@{dpkg_script_ext} Px,
/var/lib/dpkg/info/*.control r, /var/lib/dpkg/info/*.control r,
/var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts,
# DKMS scipts # DKMS scipts
@{lib}/dkms/common.postinst rPUx, @{lib}/dkms/common.postinst rPUx,

2
apparmor.d/groups/apt/dpkg-script-apparmor
View file

@ -10,11 +10,9 @@ include <tunables/global>
profile dpkg-script-apparmor @{exec_path} { profile dpkg-script-apparmor @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/debconf> include <abstractions/common/debconf>
include <abstractions/consoles>
@{exec_path} mrix, @{exec_path} mrix,
@{sh_path} rix,
@{bin}/grep ix, @{bin}/grep ix,
@{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-helper Px,

4
apparmor.d/groups/apt/dpkg-script-linux
View file

@ -13,10 +13,7 @@ profile dpkg-script-linux @{exec_path} {
@{exec_path} mrix, @{exec_path} mrix,
@{sh_path} rix,
@{bin}/cat ix, @{bin}/cat ix,
@{bin}/locale ix,
@{bin}/mkdir ix,
@{bin}/mkdir ix, @{bin}/mkdir ix,
@{bin}/rm ix, @{bin}/rm ix,
@{bin}/run-parts ix, @{bin}/run-parts ix,
@ -26,7 +23,6 @@ profile dpkg-script-linux @{exec_path} {
@{bin}/kmod Px, @{bin}/kmod Px,
@{bin}/linux-check-removal Px, @{bin}/linux-check-removal Px,
@{bin}/linux-update-symlinks Px, @{bin}/linux-update-symlinks Px,
@{bin}/whiptail Px,
@{bin}/dpkg-maintscript-helper Px, @{bin}/dpkg-maintscript-helper Px,
/usr/share/{update,reboot}-notifier/notify-reboot-required Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px,

3
apparmor.d/groups/apt/dpkg-script-systemd
View file

@ -10,12 +10,9 @@ include <tunables/global>
profile dpkg-script-systemd @{exec_path} { profile dpkg-script-systemd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/debconf> include <abstractions/common/debconf>
include <abstractions/consoles>
@{exec_path} mrix, @{exec_path} mrix,
@{sh_path} rix,
@{coreutils_path} rix, @{coreutils_path} rix,
@{bin}/bootctl Px, @{bin}/bootctl Px,
@{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-helper Px,

1
apparmor.d/groups/apt/dpkg-scripts
View file

@ -31,7 +31,6 @@ profile dpkg-scripts @{exec_path} {
@{bin}/getent ix, @{bin}/getent ix,
@{bin}/gzip ix, @{bin}/gzip ix,
@{bin}/helpztags ix, @{bin}/helpztags ix,
@{bin}/locale ix,
@{bin}/tput ix, @{bin}/tput ix,
@{bin}/zcat ix, @{bin}/zcat ix,
@{lib}/ubuntu-advantage/cloud-id-shim.sh ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix,

7
apparmor.d/groups/grub/grub-check-signatures
View file

@ -13,10 +13,9 @@ profile grub-check-signatures @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sh_path} rix, @{bin}/{m,g,}awk ix,
@{bin}/{m,g,}awk rix, @{bin}/mktemp ix,
@{bin}/mktemp rix, @{bin}/od ix,
@{bin}/od rix,
owner @{tmp}/tmp.@{rand10}/ rw, owner @{tmp}/tmp.@{rand10}/ rw,

5
apparmor.d/profiles-g-l/linux-check-removal
View file

@ -14,12 +14,7 @@ profile linux-check-removal @{exec_path} {
@{exec_path} rmix, @{exec_path} rmix,
@{sh_path} rix,
@{bin}/stty rix, @{bin}/stty rix,
@{bin}/locale rix,
@{bin}/whiptail rPx,
audit owner @{tmp}/file* w,
include if exists <local/linux-check-removal> include if exists <local/linux-check-removal>
} }

9
apparmor.d/profiles-m-r/needrestart
View file

@ -40,7 +40,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
@{bin}/whiptail rPx, @{bin}/whiptail rPx,
@{bin}/who rix, @{bin}/who rix,
@{lib}/needrestart/* rPx, @{lib}/needrestart/* rPx,
/usr/share/debconf/frontend rix, /usr/share/debconf/frontend rCx -> debconf,
/etc/debconf.conf r, /etc/debconf.conf r,
/etc/init.d/* r, /etc/init.d/* r,
@ -97,6 +97,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
include if exists <local/needrestart_udevadm> include if exists <local/needrestart_udevadm>
} }
profile debconf {
include <abstractions/base>
include <abstractions/common/debconf>
include if exists <local/needrestart_debconf>
}
include if exists <local/needrestart> include if exists <local/needrestart>
} }

48
apparmor.d/profiles-m-r/pam-auth-update
View file

@ -10,56 +10,18 @@ include <tunables/global>
@{exec_path} = @{sbin}/pam-auth-update @{exec_path} = @{sbin}/pam-auth-update
profile pam-auth-update @{exec_path} flags=(complain) { profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/common/debconf>
include <abstractions/perl>
@{exec_path} mr, @{exec_path} mr,
@{bin}/md5sum rix, @{bin}/md5sum ix,
@{bin}/cp rix, @{bin}/cp ix,
# Think what to do about this (#FIXME#)
/usr/share/debconf/frontend rPx,
#/usr/share/debconf/frontend rCx -> frontend,
/etc/pam.d/* rw,
/var/lib/pam/* rw,
/usr/share/pam{,-configs}/{,*} r, /usr/share/pam{,-configs}/{,*} r,
/etc/pam.d/* rw,
profile frontend flags=(complain) { /var/lib/pam/* rw,
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/perl>
include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
@{sbin}/pam-auth-update rPx,
@{sh_path} rix,
@{bin}/stty rix,
@{bin}/locale rix,
/etc/debconf.conf r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r,
# The following is needed when debconf uses GUI frontends.
include <abstractions/gtk>
include <abstractions/fonts>
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
@{bin}/lsb_release rPx -> lsb_release,
@{bin}/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
/etc/shadow r,
include if exists <local/pam-auth-update_frontend>
}
include if exists <local/pam-auth-update> include if exists <local/pam-auth-update>
} }

9
apparmor.d/profiles-s-z/tasksel
View file

@ -14,9 +14,8 @@ profile tasksel @{exec_path} flags=(complain) {
@{exec_path} r, @{exec_path} r,
@{sh_path} rix, @{bin}/tempfile ix,
@{bin}/tempfile rix, @{lib}/tasksel/tasksel-debconf ix,
@{lib}/tasksel/tasksel-debconf rix,
@{lib}/tasksel/tests/* Cx -> tasksel-tests, @{lib}/tasksel/tests/* Cx -> tasksel-tests,
# Do not strip env to avoid errors like the following: # Do not strip env to avoid errors like the following:
@ -29,13 +28,11 @@ profile tasksel @{exec_path} flags=(complain) {
/usr/share/tasksel/{,**} r, /usr/share/tasksel/{,**} r,
owner @{tmp}/file* w,
profile tasksel-tests flags=(complain) { profile tasksel-tests flags=(complain) {
include <abstractions/base> include <abstractions/base>
@{lib}/tasksel/tests/* r,
@{sh_path} rix, @{sh_path} rix,
@{lib}/tasksel/tests/* r,
include if exists <local/tasksel_tasksel-tests> include if exists <local/tasksel_tasksel-tests>
} }

17
apparmor.d/profiles-s-z/update-secureboot-policy
View file

@ -14,15 +14,14 @@ profile update-secureboot-policy @{exec_path} {
@{exec_path} rm, @{exec_path} rm,
@{sh_path} rix, @{bin}/{,m,g}awk ix,
@{bin}/{,m,g}awk rix, @{bin}/dpkg-trigger Px,
@{bin}/dpkg-trigger rPx, @{bin}/find ix,
@{bin}/find rix, @{bin}/id ix,
@{bin}/id rix, @{bin}/od ix,
@{bin}/od rix, @{bin}/sort ix,
@{bin}/sort rix, @{bin}/touch ix,
@{bin}/touch rix, @{bin}/wc ix,
@{bin}/wc rix,
/ r, / r,