feat(abs): add the path abstraction.

2025-05-17 22:12:24 +02:00 · 2025-05-17 22:12:24 +02:00 · f9f4097164
commit f9f4097164
parent 2bad07f5ff
5 changed files with 30 additions and 22 deletions
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@ -5,15 +5,12 @@

  abi <abi/4.0>,

+  include <abstractions/path>
+
  @{bin}/**                     PUx,
  @{sbin}/**                    PUx,
  /usr/local/{s,}bin/**         PUx,

-  @{bin}/                       r,
-  /                             r,
-  /usr/                         r,
-  /usr/local/{s,}bin/           r,
-
  include if exists <abstractions/app-launcher-root.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@ -5,6 +5,8 @@

  abi <abi/4.0>,

+  include <abstractions/path>
+
  @{bin}/**                     PUx,
  /opt/*/**                     PUx,
  /usr/share/**                 PUx,
@ -18,12 +20,6 @@
  @{thunderbird_path}           Px,
  @{offices_path}              PUx,

-  @{bin}/                       r,
-  /                             r,
-  /usr/                         r,
-  /usr/local/bin/               r,
-
-  @{user_bin_dirs}/             r,
  @{user_bin_dirs}/**          PUx,

  include if exists <abstractions/app-launcher-user.d>
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -27,6 +27,7 @@
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
+  include <abstractions/path>
  include <abstractions/ssl_certs>
  include <abstractions/video>

@ -39,12 +40,8 @@

  /etc/{,**} r,

-        / r,
        /.* r,
-        /*/ r,
-        @{bin}/ r,
        @{lib}/ r,
-        /usr/local/bin/ r,
  owner /_@{int}_/ w,
  owner /@{uuid}/ w,
  owner /var/cache/ldconfig/{,**} rw,
--- a/apparmor.d/abstractions/path
+++ b/apparmor.d/abstractions/path
@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Common directories in $PATH, used by launchers and interactive shells.
+
+  abi <abi/4.0>,
+
+  @{bin}/ r,
+  @{bin}/*/ r,
+  @{sbin}/ r,
+  @{sbin}/*/ r,
+
+  / r,
+  /usr/ r,
+  /usr/local/bin/ r,
+  /usr/local/sbin/ r,
+
+  @{user_bin_dirs}/ r,
+
+  include if exists <abstractions/path.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/groups/children/child-open-any
+++ b/apparmor.d/groups/children/child-open-any
@ -14,6 +14,7 @@ include <tunables/global>
 profile child-open-any flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/app/open>
+  include <abstractions/path>

  @{bin}/**                     PUx,
  @{lib}/**                     PUx,
@ -22,12 +23,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) {
  /usr/local/bin/**             PUx,
  /usr/share/**                 PUx,

-  @{bin}/                       r,
-  @{user_bin_dirs}/             r,
-  /                             r,
-  /usr/                         r,
-  /usr/local/bin/               r,
-
  include if exists <usr/child-open-any.d>
  include if exists <local/child-open-any>
 }