felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add pacman hook profile for paccache

Browse source
This commit is contained in:
RayJW 2025-08-07 13:55:59 +02:00
parent d57b867696
commit c3a1accffc
1 changed files with 149 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

149
apparmor.d/groups/pacman/pacman-hook-paccache Normal file
View file

@ -0,0 +1,149 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 valoq <valoq@mailbox.org>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
profile pacman//null-@{bin}/paccache//null-@{bin}/date {
@{bin}/date r,
/dev/pts/2 rw, # file_inherit
}
profile pacman//null-@{bin}/paccache//null-@{bin}/find {
@{bin}/find r,
@{lib}/gconv/gconv-modules.cache r,
/var/cache/pacman/pkg/ r,
/dev/pts/2 rw, # file_inherit
}
profile pacman//null-@{bin}/paccache//null-@{bin}/pacman-conf {
@{bin}/pacman-conf r,
/etc/pacman.conf r,
/etc/pacman.d/ r,
/dev/pts/2 rw, # file_inherit
}
profile pacman//null-@{bin}/paccache//null-@{bin}/pacsort {
@{bin}/pacsort r,
/dev/pts/2 rw, # file_inherit
}
profile pacman//null-@{bin}/paccache//null-@{bin}/gawk {
@{bin}/gawk r,
@{lib}/gconv/gconv-modules.cache r,
/dev/pts/2 rw, # file_inherit
}
profile pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpgconf {
@{bin}/gpgconf r,
/dev/pts/2 rw, # file_inherit
}
# vim:syntax=apparmor
profile pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpg {
@{bin}/gpg r,
/etc/pacman.d/ r,
/etc/pacman.d/gnupg/ r,
/etc/pacman.d/gnupg/gpg.conf r,
/etc/pacman.d/gnupg/pubring.gpg r,
/etc/pacman.d/gnupg/trustdb.gpg rw,
/dev/pts/2 rw, # file_inherit
}
profile pacman {
@{bin}/paccache ix -> pacman//null-@{bin}/paccache,
}
profile pacman//null-@{bin}/paccache {
@{sh_path} r,
@{bin}/date ix -> pacman//null-@{bin}/paccache//null-@{bin}/date,
@{bin}/date r,
@{bin}/find ix -> pacman//null-@{bin}/paccache//null-@{bin}/find,
@{bin}/find r,
@{bin}/gawk ix -> pacman//null-@{bin}/paccache//null-@{bin}/gawk,
@{bin}/gawk r,
@{bin}/paccache r,
@{bin}/pacman ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman,
@{bin}/pacman r,
@{bin}/pacman-conf ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman-conf,
@{bin}/pacman-conf r,
@{bin}/pacsort ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacsort,
@{bin}/pacsort r,
@{lib}/gconv/gconv-modules.cache r,
/ r,
/usr/share/makepkg/util/message.sh r,
/usr/share/makepkg/util/parseopts.sh r,
/var/ r,
/var/cache/ r,
/var/cache/pacman/ r,
/var/cache/pacman/pkg/ r,
/dev/pts/2 rw, # file_inherit
/dev/tty rw,
}
profile pacman//null-@{bin}/paccache//null-@{bin}/pacman {
@{bin}/gpg ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpg,
@{bin}/gpgconf ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpgconf,
@{bin}/gpgsm ix -> pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpgsm,
@{bin}/pacman r,
@{lib}/gconv/gconv-modules.cache r,
/ r,
/etc/pacman.conf r,
/etc/pacman.d/ r,
/etc/ssl/openssl.cnf r,
/var/lib/pacman/local/ r,
/var/lib/pacman/local/ r,
/var/lib/pacman/sync/ r,
/dev/pts/2 rw, # file_inherit
}
profile pacman//null-@{bin}/paccache//null-@{bin}/pacman//null-@{bin}/gpgsm {
@{bin}/gpgsm r,
/dev/pts/2 rw, # file_inherit
}
profile paccache//null-@{bin}/find {
@{bin}/find r,
@{lib}/gconv/gconv-modules.cache r,
/var/cache/pacman/pkg/ r,
/dev/pts/2 rw, # file_inherit
}
profile paccache {
@{bin}/date ix -> paccache//null-@{bin}/date,
@{bin}/find ix -> paccache//null-@{bin}/find,
/dev/pts/2 rw, # file_inherit
}
profile paccache//null-@{bin}/date {
@{bin}/date r,
/dev/pts/2 rw, # file_inherit
}
# vim:syntax=apparmor