From f8250f7e0cc8e70fe679fac2374bad8690e24e09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:22:25 +0200 Subject: [PATCH] feat(profile): move kmod in subprofile. --- apparmor.d/profiles-g-l/hw-probe | 18 +++++++++++++----- apparmor.d/profiles-g-l/kernel | 13 ++++++++----- apparmor.d/profiles-g-l/kmod | 9 +-------- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index f518a18f0..3fbb9b0fd 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -61,7 +61,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @@ -98,19 +98,27 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, - @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + profile pacman flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 6bc2c8961..d375a1bdd 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -13,8 +13,6 @@ profile kernel @{exec_path} { include include - capability sys_module, - @{exec_path} mr, @{sh_path} rix, @@ -24,7 +22,7 @@ profile kernel @{exec_path} { @{bin}/chmod rix, @{bin}/cut rix, @{bin}/dirname rix, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/mv rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -56,8 +54,6 @@ profile kernel @{exec_path} { /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, @@ -65,6 +61,13 @@ profile kernel @{exec_path} { @{PROC}/devices r, @{PROC}/cmdline r, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ccc8d6913..a793bf707 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -31,14 +31,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, - @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /etc/modprobe.d/{,*.conf} r, - /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -66,9 +62,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - @{PROC}/cmdline r, - @{PROC}/modules r, - /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r,