fix(profile): issue with re-attached paths

- Add missing att on some profiles - Fix alias / -> // - Fix aa-log att variable resolution fix #813 #814
2025-08-17 00:07:53 +02:00 · 2025-08-17 00:07:53 +02:00 · e55ace4e0a
commit e55ace4e0a
parent 5ee999536c
8 changed files with 15 additions and 11 deletions
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@ -14,6 +14,8 @@
  @{att}/@{run}/systemd/journal/socket w,
  @{att}/@{run}/systemd/journal/stdout rw,

+  @{att}/dev/null  rw,
+
  /apparmor/.null rw,
  @{att}/apparmor/.null rw,

--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -38,12 +38,14 @@
  pivot_root oldroot=/newroot/ /newroot/,
  pivot_root oldroot=/tmp/oldroot/ /tmp/,

-  owner / r,
  owner /newroot/{,**} w,

  owner /tmp/newroot/ w,
  owner /tmp/oldroot/ w,

+  @{att}/ r,
+  @{att}/@{run}/.userns r,
+
        @{PROC}/sys/kernel/overflowgid r,
        @{PROC}/sys/kernel/overflowuid r,
        @{PROC}/sys/user/max_user_namespaces r,
--- a/apparmor.d/groups/flatpak/flatpak
+++ b/apparmor.d/groups/flatpak/flatpak
@ -66,7 +66,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
  /etc/flatpak/{,**} r,
  /etc/pulse/client.conf r,

-  / r,
+  @{att}/ r,

  /var/lib/flatpak/{,**} rwlk,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -65,8 +65,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  @{open_path}                            rPx -> child-open,

        / r,
+  @{att}/ r,
  @{att}/.flatpak-info r,
-  owner @{att}/ r,

  /usr/share/dconf/profile/gdm r,
  /usr/share/xdg-desktop-portal/** r,
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/wayland>
@ -41,9 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {

  @{PROC}/@{pids}/cmdline r,

-  @{att}/dev/tty@{int} rw,
-  /dev/tty rw,
-
  include if exists <local/xwayland>
 }

--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@ -62,6 +62,9 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/environ r,

+  @{att}/dev/dri/card@{int} rw,
+  @{att}/dev/input/event@{int} rw,
+
        /dev/input/event@{int} rw,
        /dev/tty r,
  owner /dev/tty@{int} rw,
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@ -74,6 +74,6 @@
 # See https://apparmor.pujol.io/development/internal/#re-attached-path
@{att}=/

-alias // -> /,
+alias / -> //,

 # vim:syntax=apparmor
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@ -64,7 +64,7 @@ var (
 		`/home/[^/]+/`, `@{HOME}/`,

 		// Resolve system variables
-		`/att/[^/@]+`, `@{att}/`,
+		`/att/[^/]+/`, `@{att}/`,
 		`/usr/lib(32|64|exec)`, `@{lib}`,
 		`/usr/lib`, `@{lib}`,
 		`/usr/sbin`, `@{sbin}`,
@ -86,7 +86,6 @@ var (
 		`pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`,
 		`@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`,
 		`1000`, `@{uid}`,
-		`@{att}//`, `@{att}/`,

 		// Some system glob
 		`:not.active.yet`, `@{busname}`, // dbus unique bus name