felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update some core system profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-06 22:08:28 +02:00
parent 705eb11510
commit bfc6c51821
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
10 changed files with 42 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/profiles-a-f/dkms
View file

@ -30,13 +30,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
@{bin}/bc rix, @{bin}/bc rix,
@{bin}/clang-@{version} rix, @{bin}/clang-@{version} rix,
@{bin}/gcc rix, @{bin}/gcc rix,
@{bin}/g++ rix,
@{bin}/getconf rix, @{bin}/getconf rix,
@{bin}/kill rix, @{bin}/kill rix,
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@{bin}/ld rix, @{bin}/ld rix,
@{bin}/ld.lld rix, @{bin}/ld.lld rix,
@{bin}/llvm-objcopy rix, @{bin}/llvm-objcopy rix,
@{bin}/lsb_release rPx -> lsb_release, @{bin}/lsb_release rPx,
@{bin}/make rix, @{bin}/make rix,
@{bin}/objcopy rix, @{bin}/objcopy rix,
@{bin}/pahole rix, @{bin}/pahole rix,
@ -101,7 +102,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/sh-thd.* rw, owner @{tmp}/sh-thd.* rw,
owner @{tmp}/tmp.* rw, owner @{tmp}/tmp.* rw,
@{PROC}/cpuinfo r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/vm/overcommit_memory r, @{PROC}/sys/vm/overcommit_memory r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,

3
apparmor.d/profiles-a-f/fprintd
View file

@ -32,8 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{sys}/class/hidraw/ r, @{sys}/class/hidraw/ r,
@{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, @{sys}/devices/**/hidraw/hidraw@{int}/uevent r,
@{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r,
include if exists <local/fprintd> include if exists <local/fprintd>
} }

11
apparmor.d/profiles-a-f/fwupd
View file

@ -62,12 +62,15 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
/boot/{,**} r, @{efi}/{,**} r,
/boot/EFI/*/.goutputstream-@{rand6} rw, @{efi}/EFI/*/.goutputstream-@{rand6} rw,
/boot/EFI/*/fw/fwupd-*.cap{,.*} rw, @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw,
/boot/EFI/*/fwupdx@{int}.efi rw, @{efi}/EFI/*/fwupdx@{int}.efi rw,
@{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,
@{MOUNTDIRS}/*/{,@{efi}/} r,
@{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r,
/var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/mime/mime.cache r,
/var/tmp/etilqs_@{sqlhex} rw, /var/tmp/etilqs_@{sqlhex} rw,
owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/ rw,

16
apparmor.d/profiles-g-l/hw-probe
View file

@ -33,6 +33,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
@{bin}/tar rix, @{bin}/tar rix,
@{bin}/uname rix, @{bin}/uname rix,
@{bin}/vulkaninfo rPUx,
@{bin}/acpi rPx, @{bin}/acpi rPx,
@{bin}/amixer rPx, @{bin}/amixer rPx,
@{bin}/aplay rPx, @{bin}/aplay rPx,
@ -55,7 +56,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
@{bin}/lsblk rPx, @{bin}/lsblk rPx,
@{bin}/lscpu rPx, @{bin}/lscpu rPx,
@{bin}/lspci rPx, @{bin}/lspci rPx,
@{bin}/lsscsi rPx,
@{bin}/lsusb rPx, @{bin}/lsusb rPx,
@{bin}/memtester rPx, @{bin}/memtester rPx,
@{bin}/nmcli rPx, @{bin}/nmcli rPx,
@ -76,12 +76,15 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
@{sbin}/dmidecode rPx, @{sbin}/dmidecode rPx,
@{sbin}/fdisk rPx, @{sbin}/fdisk rPx,
@{sbin}/hdparm rPx, @{sbin}/hdparm rPx,
@{bin}/boltctl rPUx,
@{sbin}/hwinfo rPx, @{sbin}/hwinfo rPx,
@{sbin}/rfkill rPx, @{sbin}/rfkill rPx,
@{sbin}/smartctl rPx, @{sbin}/smartctl rPx,
/etc/modprobe.d/{,*.conf} r, /etc/modprobe.d/{,*.conf} r,
@{efi}/EFI/{,**} r,
owner @{HOME}/HW_PROBE/{,**} rw, owner @{HOME}/HW_PROBE/{,**} rw,
owner @{tmp}/@{rand10}/ rw, owner @{tmp}/@{rand10}/ rw,
@ -107,9 +110,9 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>
capability sys_module, capability syslog,
@{sys}/module/compression r, @{sys}/module/{,**} r,
include if exists <local/hw-probe_kmod> include if exists <local/hw-probe_kmod>
} }
@ -169,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
@{run}/log/ rw, @{run}/log/ rw,
/{run,var}/log/journal/ r, /{run,var}/log/journal/ r,
/{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/ r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r,
/{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,

6
apparmor.d/profiles-g-l/hwinfo
View file

@ -28,6 +28,7 @@ profile hwinfo @{exec_path} {
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@{bin}/udevadm rCx -> udevadm, @{bin}/udevadm rCx -> udevadm,
@{sbin}/acpidump rPUx, @{sbin}/acpidump rPUx,
@{bin}/lsscsi rPx,
@{sbin}/dmraid rPUx, @{sbin}/dmraid rPUx,
@ -39,7 +40,7 @@ profile hwinfo @{exec_path} {
@{sys}/bus/{,**/} r, @{sys}/bus/{,**/} r,
@{sys}/class/*/ r, @{sys}/class/*/ r,
@{sys}/devices/@{pci}/** r, @{sys}/devices/@{pci}/{,**} r,
@{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/{modalias,uevent} r,
@{sys}/devices/**/input/**/dev r, @{sys}/devices/**/input/**/dev r,
@{sys}/devices/virtual/net/*/{type,carrier,address} r, @{sys}/devices/virtual/net/*/{type,carrier,address} r,
@ -70,9 +71,12 @@ profile hwinfo @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>
capability sys_module,
owner @{tmp}/hwinfo*.txt rw, owner @{tmp}/hwinfo*.txt rw,
@{sys}/devices/@{pci}/drm/card@{int}/ r, @{sys}/devices/@{pci}/drm/card@{int}/ r,
@{sys}/module/compression r,
include if exists <local/hwinfo_kmod> include if exists <local/hwinfo_kmod>
} }

5
apparmor.d/profiles-g-l/i2cdetect
View file

@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sys}/class/i2c-dev/ r,
@{sys}/devices/@{pci}/i2c-*/{,**/}name r,
owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mounts r,
/dev/i2c-@{int} rw,
include if exists <local/i2cdetect> include if exists <local/i2cdetect>
} }

6
apparmor.d/profiles-g-l/kernel
View file

@ -34,13 +34,15 @@ profile kernel @{exec_path} {
@{bin}/which{,.debianutils} rix, @{bin}/which{,.debianutils} rix,
@{bin}/apt-config rPx, @{bin}/apt-config rPx,
@{bin}/bootctl rPx,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/kernel-install rPx,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{sbin}/update-alternatives rPx, @{lib}/dkms/dkms_autoinstaller rPx,
@{sbin}/dkms rPx, @{sbin}/dkms rPx,
@{sbin}/update-alternatives rPx,
@{sbin}/update-grub rPx, @{sbin}/update-grub rPx,
@{sbin}/update-initramfs rPx, @{sbin}/update-initramfs rPx,
@{lib}/dkms/dkms_autoinstaller rPx,
@{lib}/modules/*/updates/ w, @{lib}/modules/*/updates/ w,
@{lib}/modules/*/updates/dkms/ w, @{lib}/modules/*/updates/dkms/ w,

3
apparmor.d/profiles-g-l/kernel-install
View file

@ -41,6 +41,8 @@ profile kernel-install @{exec_path} {
@{lib}/modules/*/modules.* w, @{lib}/modules/*/modules.* w,
@{efi}/@{hex32}/** rw,
owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/{vmlinuz,initrd.img}-* r,
owner /boot/[a-f0-9]*/*/ rw, owner /boot/[a-f0-9]*/*/ rw,
owner /boot/[a-f0-9]*/*/{linux,initrd} w, owner /boot/[a-f0-9]*/*/{linux,initrd} w,
@ -52,6 +54,7 @@ profile kernel-install @{exec_path} {
owner @{tmp}/sh-thd.* rw, owner @{tmp}/sh-thd.* rw,
@{PROC}/@{pid}/mountinfo r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,

2
apparmor.d/profiles-m-r/pycompile
View file

@ -11,7 +11,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/common/apt> include <abstractions/common/apt>
include <abstractions/consoles> include <abstractions/consoles>
# include <abstractions/python> include <abstractions/python>
capability dac_override, capability dac_override,
capability dac_read_search, capability dac_read_search,

4
apparmor.d/profiles-s-z/sysstat-sadc
View file

@ -24,8 +24,10 @@ profile sysstat-sadc @{exec_path} {
@{sys}/class/fc_host/ r, @{sys}/class/fc_host/ r,
@{sys}/class/hwmon/ r, @{sys}/class/hwmon/ r,
@{sys}/class/i2c-adapter/ r, @{sys}/class/i2c-adapter/ r,
@{sys}/devices/@{pci}/i2c-*/name r, @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r,
@{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r,
@{sys}/devices/@{pci}/net/*/duplex r, @{sys}/devices/@{pci}/net/*/duplex r,
@{sys}/devices/**/i2c-*/name r,
@{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/duplex r,
@{sys}/devices/**/net/*/speed r, @{sys}/devices/**/net/*/speed r,
@{sys}/devices/virtual/net/*/duplex r, @{sys}/devices/virtual/net/*/duplex r,