felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(profiles): use @{bin} and @{lib} in profiles (5)

Browse source
This commit is contained in:
Alexandre Pujol 2023-07-09 14:34:42 +01:00
parent 43b0f09b65
commit fcedbbfd95
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
122 changed files with 873 additions and 876 deletions
Download patch file Download diff file Expand all files Collapse all files

90
apparmor.d/profiles-g-l/git
View file

@ -7,13 +7,11 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/git
@{exec_path} += /{usr/,}bin/git-*
@{exec_path} += /{usr/,}lib/git-core/git
@{exec_path} += /{usr/,}lib/git-core/git-*
@{exec_path} += @{libexec}/git-core/git
@{exec_path} += @{libexec}/git-core/git-*
@{exec_path} += @{libexec}/git-core/mergetools/*
@{exec_path} = @{bin}/git
@{exec_path} += @{bin}/git-*
@{exec_path} += @{lib}/git-core/git
@{exec_path} += @{lib}/git-core/git-*
@{exec_path} += @{lib}/git-core/mergetools/*
profile git @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -34,47 +32,47 @@ profile git @{exec_path} {
# When you mistype a command, git checks the $PATH variable and search its exec dirs to give you
# the most similar commands, which it thinks can be used instead. Git binaries are all under
# /usr/bin/ , so allow only this location.
/{usr/,}bin/ r,
@{bin}/ r,
deny /{usr/,}sbin/ r,
deny /usr/local/{s,}bin/ r,
deny /usr/games/ r,
deny /usr/local/games/ r,
# These are needed for "git submodule update"
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/{,e}grep rix,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/date rix,
/{usr/,}bin/dirname rix,
/{usr/,}bin/envsubst rix,
/{usr/,}bin/gettext rix,
/{usr/,}bin/gettext.sh rix,
/{usr/,}bin/hostname rix,
/{usr/,}bin/mkdir rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/whoami rix,
@{bin}/{,ba,da}sh rix,
@{bin}/{,e}grep rix,
@{bin}/basename rix,
@{bin}/cat rix,
@{bin}/cat rix,
@{bin}/date rix,
@{bin}/dirname rix,
@{bin}/envsubst rix,
@{bin}/gettext rix,
@{bin}/gettext.sh rix,
@{bin}/hostname rix,
@{bin}/mkdir rix,
@{bin}/mv rix,
@{bin}/rm rix,
@{bin}/sed rix,
@{bin}/uname rix,
@{bin}/wc rix,
@{bin}/whoami rix,
/{usr/,}bin/pager rPx -> child-pager,
/{usr/,}bin/less rPx -> child-pager,
/{usr/,}bin/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
/{usr/,}bin/man rPx,
/{usr/,}bin/meld rPUx,
/{usr/,}lib/code/extensions/git/dist/askpass.sh rPx,
/{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx,
@{bin}/man rPx,
@{bin}/meld rPUx,
@{lib}/code/extensions/git/dist/askpass.sh rPx,
@{lib}/code/extensions/git/dist/git-editor.sh rPx,
/usr/share/aurpublish/*.hook rPx,
/{usr/,}bin/gpg{,2} rCx -> gpg,
/{usr/,}bin/ssh rCx -> ssh,
/{usr/,}bin/sensible-editor rCx -> editor,
/{usr/,}bin/vim rCx -> editor,
/{usr/,}bin/vim.* rCx -> editor,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/ssh rCx -> ssh,
@{bin}/sensible-editor rCx -> editor,
@{bin}/vim rCx -> editor,
@{bin}/vim.* rCx -> editor,
/usr/share/git-core/{,**} r,
/usr/share/terminfo/x/xterm-256color r,
@ -108,8 +106,8 @@ profile git @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/gpg{,2} mr,
/{usr/,}bin/gpg-agent rPx,
@{bin}/gpg{,2} mr,
@{bin}/gpg-agent rPx,
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -132,7 +130,7 @@ profile git @{exec_path} {
network inet6 stream,
network netlink raw,
/{usr/,}bin/ssh mr,
@{bin}/ssh mr,
/etc/ssh/ssh_config.d/{,*} r,
/etc/ssh/ssh_config r,
@ -162,11 +160,11 @@ profile git @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
/{usr/,}bin/sensible-editor mr,
/{usr/,}bin/vim mrix,
/{usr/,}bin/vim.* mrix,
/{usr/,}bin/{,ba,da}sh rix,
/{usr/,}bin/which{,.debianutils} rix,
@{bin}/sensible-editor mr,
@{bin}/vim mrix,
@{bin}/vim.* mrix,
@{bin}/{,ba,da}sh rix,
@{bin}/which{,.debianutils} rix,
/usr/share/vim/{,**} r,
/usr/share/terminfo/x/xterm-256color r,