tests(check): add support for blocl ignore, handle inline comments.

2025-07-26 22:28:54 +02:00 · 2025-07-26 22:28:54 +02:00 · c0b43c86b6
commit c0b43c86b6
parent dfb0762625
6 changed files with 65 additions and 30 deletions
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -56,11 +56,12 @@
  owner @{HOME}/.var/app/** rmix,
  owner @{HOME}/** rwmlk -> @{HOME}/**,
  owner @{run}/user/@{uid}/ r,
-  owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**,  #aa:lint ignore
+  owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**,  #aa:lint ignore=too_wide
  owner @{user_games_dirs}/** rmix,

-  owner @{tmp}/** rmwk,  #aa:lint ignore
-  owner /dev/shm/** rwlk -> /dev/shm/**,  #aa:lint ignore
+  #aa:lint ignore=too_wide
+  owner @{tmp}/** rmwk,
+  owner /dev/shm/** rwlk -> /dev/shm/**,
  owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
  owner /var/tmp/etilqs_@{sqlhex} rw,

--- a/apparmor.d/abstractions/ibus.d/complete
+++ b/apparmor.d/abstractions/ibus.d/complete
@ -8,6 +8,7 @@
      type=stream
      peer=(addr="@/tmp/ibus/dbus-????????"),

+  #aa:lint ignore=tunables
  # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs})
  # This should use this, but due to LP: #1856738 we cannot
  #unix (connect, receive, send)
@ -15,11 +16,10 @@
  #    peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"),
  unix (connect, receive, send)
      type=stream
-      peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore
-
+      peer=(addr="@/home/*/.cache/ibus/dbus-????????"),
  unix (connect, send, receive, accept, bind, listen)
       type=stream
-       addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore
+       addr="@/home/*/.cache/ibus/dbus-????????",

  dbus receive bus=session path=/org/freedesktop/IBus
       interface=org.freedesktop.DBus.Peer
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -99,10 +99,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
        /.fscrypt/protectors/ r,
  owner /.fscrypt/protectors/@{hex16} r,

+  #aa:lint ignore=tunables
        /home/ r,
-        /home/.fscrypt/policies/ r, #aa:lint ignore
-  owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore
-  owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore
+        /home/.fscrypt/policies/ r,
+  owner /home/.fscrypt/policies/@{hex32} r,
+  owner /home/.fscrypt/protectors/@{hex16}.link r,

  owner @{HOME}/.pam_environment r,

--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -73,7 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  @{bin}/kmod                    rCx -> kmod,
  @{bin}/ps                      rPx,
  @{sbin}/runc                   rUx,
-  @{bin}/runc                    rUx, #aa:lint ignore
+  @{bin}/runc                    rUx, #aa:lint ignore=sbin
  @{bin}/unpigz                  rix,
  @{sbin}/xtables-nft-multi      rCx -> nft,
  @{sbin}/xtables-legacy-multi   rCx -> nft,
--- a/apparmor.d/profiles-g-l/hwinfo
+++ b/apparmor.d/profiles-g-l/hwinfo
@ -13,9 +13,9 @@ profile hwinfo @{exec_path} {
  include <abstractions/disks-read>

  capability net_raw, # Needed for network related options
-  capability sys_admin, # Needed for @{PROC}/ioports
+  capability sys_admin, # Needed for /proc/ioports
  capability sys_rawio, # Needed for disk related options
-  capability syslog, # Needed for @{PROC}/kmsg
+  capability syslog, # Needed for /proc/kmsg

  network inet dgram,
  network inet6 dgram,