feat(profile): move kmod in subprofile.

2025-06-21 20:22:25 +02:00 · 2025-06-21 20:22:25 +02:00 · f8250f7e0c
commit f8250f7e0c
parent e222816d32
3 changed files with 22 additions and 18 deletions
--- a/apparmor.d/profiles-g-l/hw-probe
+++ b/apparmor.d/profiles-g-l/hw-probe
@ -61,7 +61,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
  @{sbin}/iwconfig       rCx -> netconfig,
  @{bin}/journalctl      rCx -> journalctl,
  @{bin}/killall         rCx -> killall,
-  @{bin}/kmod            rix,
+  @{bin}/kmod            rCx -> kmod,
  @{bin}/lsb_release     rPx -> lsb_release,
  @{bin}/lsblk           rPx,
  @{bin}/lscpu           rPx,
@ -98,19 +98,27 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/virtual/dmi/id/* r,
  @{sys}/firmware/efi/efivars/ r,
  @{sys}/firmware/efi/efivars/* r,
-  @{sys}/module/*/ r,
-  @{sys}/module/*/{coresize,refcnt} r,
-  @{sys}/module/*/holders/ r,

  @{PROC}/bus/input/devices r,
  @{PROC}/cmdline r,
  @{PROC}/interrupts r,
  @{PROC}/ioports r,
-  @{PROC}/modules r,
  @{PROC}/scsi/scsi r,

  /dev/{,**} r,

+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    capability sys_module,
+
+    @{sys}/module/compression r,
+
+    include if exists <local/hw-probe_kmod>
+  }
+
+
  profile pacman flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/consoles>
--- a/apparmor.d/profiles-g-l/kernel
+++ b/apparmor.d/profiles-g-l/kernel
@ -13,8 +13,6 @@ profile kernel @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

-  capability sys_module,
-
  @{exec_path} mr,

  @{sh_path}        rix,
@ -24,7 +22,7 @@ profile kernel @{exec_path} {
  @{bin}/chmod      rix,
  @{bin}/cut        rix,
  @{bin}/dirname    rix,
-  @{bin}/kmod       rix,
+  @{bin}/kmod       rCx -> kmod,
  @{bin}/mv         rix,
  @{bin}/rm         rix,
  @{bin}/rmdir      rix,
@ -56,8 +54,6 @@ profile kernel @{exec_path} {

  /etc/apt/apt.conf.d/ r,
  /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw,
-  /etc/modprobe.d/ r,
-  /etc/modprobe.d/*.conf r,

  @{run}/reboot-required w,
  @{run}/reboot-required.pkgs rw,
@ -65,6 +61,13 @@ profile kernel @{exec_path} {
  @{PROC}/devices r,
  @{PROC}/cmdline r,

+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    include if exists <local/kernel_kmod>
+  }
+
  include if exists <local/kernel>
 }

--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe}
 profile kmod @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
+  include <abstractions/app/kmod>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
@ -31,14 +31,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
  @{sbin}/sysctl     rCx -> sysctl,
  @{bin}/true        rix,

-  @{lib}/modprobe.d/{,*.conf} r,
  @{lib}/modules/*/modules.* rw,

  @{run}/modprobe.d/{,*.conf} r,

-  /etc/depmod.d/{,**} r,
-  /etc/modprobe.d/{,*.conf} r,
-
  /tmp/**/*.ko{,.zst} r,
  /usr/src/*/*.ko r,
  /var/lib/dkms/**/module/*.ko r,
@ -66,9 +62,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) {

  @{sys}/module/{,**} r,

-  @{PROC}/cmdline r,
-  @{PROC}/modules r,
-
  /dev/tty@{int} rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,