felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(abs): add the path abstraction.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-17 22:12:24 +02:00
parent 2bad07f5ff
commit f9f4097164
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
5 changed files with 30 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

7
apparmor.d/abstractions/app-launcher-root
View file

@ -5,15 +5,12 @@
abi <abi/4.0>, abi <abi/4.0>,
include <abstractions/path>
@{bin}/** PUx, @{bin}/** PUx,
@{sbin}/** PUx, @{sbin}/** PUx,
/usr/local/{s,}bin/** PUx, /usr/local/{s,}bin/** PUx,
@{bin}/ r,
/ r,
/usr/ r,
/usr/local/{s,}bin/ r,
include if exists <abstractions/app-launcher-root.d> include if exists <abstractions/app-launcher-root.d>
# vim:syntax=apparmor # vim:syntax=apparmor

10
apparmor.d/abstractions/app-launcher-user
View file

@ -5,6 +5,8 @@
abi <abi/4.0>, abi <abi/4.0>,
include <abstractions/path>
@{bin}/** PUx, @{bin}/** PUx,
/opt/*/** PUx, /opt/*/** PUx,
/usr/share/** PUx, /usr/share/** PUx,
@ -18,13 +20,7 @@
@{thunderbird_path} Px, @{thunderbird_path} Px,
@{offices_path} PUx, @{offices_path} PUx,
@{bin}/ r, @{user_bin_dirs}/** PUx,
/ r,
/usr/ r,
/usr/local/bin/ r,
@{user_bin_dirs}/ r,
@{user_bin_dirs}/** PUx,
include if exists <abstractions/app-launcher-user.d> include if exists <abstractions/app-launcher-user.d>

5
apparmor.d/abstractions/common/app
View file

@ -27,6 +27,7 @@
include <abstractions/gstreamer> include <abstractions/gstreamer>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/p11-kit> include <abstractions/p11-kit>
include <abstractions/path>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
include <abstractions/video> include <abstractions/video>
@ -39,12 +40,8 @@
/etc/{,**} r, /etc/{,**} r,
/ r,
/.* r, /.* r,
/*/ r,
@{bin}/ r,
@{lib}/ r, @{lib}/ r,
/usr/local/bin/ r,
owner /_@{int}_/ w, owner /_@{int}_/ w,
owner /@{uuid}/ w, owner /@{uuid}/ w,
owner /var/cache/ldconfig/{,**} rw, owner /var/cache/ldconfig/{,**} rw,

23
apparmor.d/abstractions/path Normal file
View file

@ -0,0 +1,23 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Common directories in $PATH, used by launchers and interactive shells.
abi <abi/4.0>,
@{bin}/ r,
@{bin}/*/ r,
@{sbin}/ r,
@{sbin}/*/ r,
/ r,
/usr/ r,
/usr/local/bin/ r,
/usr/local/sbin/ r,
@{user_bin_dirs}/ r,
include if exists <abstractions/path.d>
# vim:syntax=apparmor

7
apparmor.d/groups/children/child-open-any
View file

@ -14,6 +14,7 @@ include <tunables/global>
profile child-open-any flags=(attach_disconnected,mediate_deleted) { profile child-open-any flags=(attach_disconnected,mediate_deleted) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/open> include <abstractions/app/open>
include <abstractions/path>
@{bin}/** PUx, @{bin}/** PUx,
@{lib}/** PUx, @{lib}/** PUx,
@ -22,12 +23,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) {
/usr/local/bin/** PUx, /usr/local/bin/** PUx,
/usr/share/** PUx, /usr/share/** PUx,
@{bin}/ r,
@{user_bin_dirs}/ r,
/ r,
/usr/ r,
/usr/local/bin/ r,
include if exists <usr/child-open-any.d> include if exists <usr/child-open-any.d>
include if exists <local/child-open-any> include if exists <local/child-open-any>
} }