From f3ff9d8cf6dda90b616978e9cbdfbe1e127a11f3 Mon Sep 17 00:00:00 2001 From: nobodysu Date: Mon, 13 Dec 2021 00:34:03 +0300 Subject: [PATCH] diff and colordiff --- apparmor.d/profiles-a-f/colordiff | 32 +++++++++++++++++++++++++++++++ apparmor.d/profiles-a-f/diff | 27 ++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 apparmor.d/profiles-a-f/colordiff create mode 100644 apparmor.d/profiles-a-f/diff diff --git a/apparmor.d/profiles-a-f/colordiff b/apparmor.d/profiles-a-f/colordiff new file mode 100644 index 000000000..7766f671a --- /dev/null +++ b/apparmor.d/profiles-a-f/colordiff @@ -0,0 +1,32 @@ +# vim:syntax=apparmor +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{DIFF_PATHS_RO} = /etc @{HOME} /srv /tmp /var /usr/share /usr/lib/systemd + +@{exec_path} = /{,usr/}bin/colordiff +profile colordiff @{exec_path} { + @{exec_path} r, + include + include + + @{DIFF_PATHS_RO}/** r, + @{MOUNTS}/** r, + + /{,usr/}bin/diff rix, + /{,usr/}bin/perl rix, + + /etc/colordiffrc r, + + deny /var/log/{,**/}*.gz r, + + # Extremely sensitive files + audit deny /etc/**.key mrwkl, + audit deny /etc/ssh/ssh_host_*_key mrwkl, + + include if exists +} diff --git a/apparmor.d/profiles-a-f/diff b/apparmor.d/profiles-a-f/diff new file mode 100644 index 000000000..752cfb03b --- /dev/null +++ b/apparmor.d/profiles-a-f/diff @@ -0,0 +1,27 @@ +# vim:syntax=apparmor +# apparmor.d - Full set of apparmor profiles +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{DIFF_PATHS_RO} = /etc @{HOME} /srv /tmp /var /usr/share /usr/lib/systemd + +@{exec_path} = /{,usr/}bin/diff +profile diff @{exec_path} { + @{exec_path} r, + include + include + + @{DIFF_PATHS_RO}/** r, + @{MOUNTS}/** r, + + deny /var/log/{,**/}*.gz r, + + # Extremely sensitive files + audit deny /etc/**.key mrwkl, + audit deny /etc/ssh/ssh_host_*_key mrwkl, + + include if exists +}