feat(profile): various security/linter improvement

- Ignore some rule from the linter
- Move some bin to subprofile

apparmor.d/groups/apt/dpkg-scripts

@@ -48,6 +48,7 @@ profile dpkg-scripts @{exec_path} {
   @{sbin}/ldconfig.real                           Cx -> ldconfig,
   @{sbin}/update-rc.d                             Cx -> rc,
 
+  #aa:lint ignore=too-wide
   # Maintainer scripts can legitimately start/restart anything
   # PU is only used as a safety fallback.
   @{bin}/**                                       PUx,

apparmor.d/groups/apt/reportbug

@@ -61,8 +61,8 @@ profile reportbug @{exec_path} {
 
   /usr/share/bug/*/{control,presubj} r,
 
+  #aa:lint ignore=too-wide
   /etc/** r,
-  /etc/reportbug.conf r,
 
   owner @{HOME}/ r,  # For shell pwd
   owner @{HOME}/.reportbugrc{,~} rw,

apparmor.d/groups/pacman/pacdiff

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/pacdiff
 profile pacdiff @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/app/editor>
 
   capability dac_read_search,
   capability mknod,
@@ -30,11 +31,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
   @{bin}/rm           rix,
   @{bin}/sed          rix,
   @{bin}/tput         rix,
-  @{bin}/vim          rix,
-
-  owner @{HOME}/.viminfo{,.tmp} rw,
-
-  owner @{user_cache_dirs}/vim/{,**} rw,
 
   # packages files
   / r,

apparmor.d/profiles-a-f/baobab

@@ -19,6 +19,7 @@ profile baobab @{exec_path} {
 
   @{open_path}  rPx -> child-open-help,
 
+  #aa:lint ignore=too-wide
   # As a directory tree analyzer it needs full access to the filesystem
   / r,
   /** r,

apparmor.d/profiles-a-f/file-roller

@@ -28,6 +28,7 @@ profile file-roller @{exec_path} {
   # Archivers
   @{archive_path}      rix,
 
+  #aa:lint ignore=too-wide
   # Full access to user's data
   @{MOUNTS}/** rw,
   owner @{HOME}/** rw,

apparmor.d/profiles-m-r/mimetype

@@ -19,14 +19,14 @@ profile mimetype @{exec_path} {
   /usr/share/mime/aliases r,
   /usr/share/mime/magic r,
 
+  # To read files
+  owner /** r,  #aa:lint ignore=too-wide
+
   owner @{user_share_dirs}/mime/**.xml r,
   owner @{user_share_dirs}/mime/globs r,
   owner @{user_share_dirs}/mime/aliases r,
   owner @{user_share_dirs}/mime/magic r,
 
-  # To read files
-  /** r,
-
   include if exists <local/mimetype>
 }
 

apparmor.d/profiles-s-z/tomb

@@ -67,7 +67,7 @@ profile tomb @{exec_path} {
 
   @{sbin}/btrfs            rPx,
   @{sbin}/cryptsetup       rPUx,
-  @{bin}/e2fsc             rPUx,
+  @{sbin}/e2fsck           rPx,
   @{sbin}/fsck             rPx,
   @{bin}/gpg{,2}           rPx,
   @{bin}/lsblk             rPx,

apparmor.d/profiles-s-z/xarchiver

@@ -40,13 +40,10 @@ profile xarchiver @{exec_path} {
 
   owner @{HOME}/.bz2 rw,
 
-        / r,
+  #aa:lint ignore=too-wide
-        /home/ r,
+  # Full access to user's data
-  #owner @{HOME}/ r,
+  @{MOUNTS}/** rw,
-  #owner @{HOME}/** rw,
+  owner @{HOME}/** rw,
-        @{MOUNTS}/ r,
-        @{MOUNTS}/** rw,
-        /tmp/ r,
   owner @{tmp}/** rw,
 
         @{PROC}/@{pid}/mountinfo r,

tests/check.sh

@@ -171,6 +171,9 @@ _check_abstractions() {
             _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead"
         fi
     done
+    if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then
+        _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'"
+    fi
 }
 
 readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}')
@@ -222,7 +225,7 @@ readonly TRANSITION_MUST_PC=( # Must transition to 'Px'
     ischroot who
 )
 readonly TRANSITION_MUST_C=( # Must transition to 'Cx'
-    sysctl kmod pgrep pkexec sudo systemctl udevadm
+    sysctl kmod pgrep pkill pkexec sudo systemctl udevadm
     fusermount fusermount3 fusermount{,3}
     nvim vim sensible-editor
 )

tests/sbin.list

@@ -761,6 +761,7 @@ ugc
 umount.nfs
 umount.nfs4
 umount.udisks2
+unbound
 unconfined
 undump.bt
 unix_chkpwd