refactor(profiles): use @{bin} and @{lib} in profiles (5)

2023-07-09 14:34:42 +01:00 · 2023-07-09 14:34:42 +01:00 · fcedbbfd95
commit fcedbbfd95
parent 43b0f09b65
122 changed files with 873 additions and 876 deletions
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -7,7 +7,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}{s,}bin/logrotate
+@{exec_path} = @{bin}/logrotate
 profile logrotate @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -28,34 +28,34 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /{usr/,}{s,}bin/ r,
+  @{bin}/ r,

-  /{usr/,}{s,}bin/invoke-rc.d        rix,
-  /{usr/,}bin/{,ba,da}sh             rix,
-  /{usr/,}bin/cat                    rix,
-  /{usr/,}bin/grep                   rix,
-  /{usr/,}bin/gzip                   rix,
-  /{usr/,}bin/kill                   rix,
-  /{usr/,}bin/ls                     rix,
-  /{usr/,}bin/shred                  rix,
-  /{usr/,}bin/xz                     rix,
-  /{usr/,}bin/zstd                   rix,
-  /{usr/,}lib/rsyslog/rsyslog-rotate rix,
+  @{bin}/{,ba,da}sh             rix,
+  @{bin}/cat                    rix,
+  @{bin}/grep                   rix,
+  @{bin}/gzip                   rix,
+  @{bin}/invoke-rc.d            rix,
+  @{bin}/kill                   rix,
+  @{bin}/ls                     rix,
+  @{bin}/shred                  rix,
+  @{bin}/xz                     rix,
+  @{bin}/zstd                   rix,
+  @{lib}/rsyslog/rsyslog-rotate rix,

-  /{usr/,}bin/fail2ban-client                   rPx,
-  /{usr/,}bin/my_print_defaults                 rPUx,
-  /{usr/,}bin/mysqladmin                        rPUx,
-  /{usr/,}bin/systemd-tty-ask-password-agent    rPx,
-  /{usr/,}lib/php/php[7-8].[3-4]-fpm-reopenlogs rPUx,
+  @{bin}/fail2ban-client                   rPx,
+  @{bin}/my_print_defaults                 rPUx,
+  @{bin}/mysqladmin                        rPUx,
+  @{bin}/systemd-tty-ask-password-agent    rPx,
+  @{lib}/php/php[7-8].[3-4]-fpm-reopenlogs rPUx,
  /etc/init.d/nginx                             rPUx,
-  /{usr/,}{s,}bin/squid                         rPUx,
+  @{bin}/squid                         rPUx,

-  /{usr/,}bin/pgrep rCx -> pgrep,
+  @{bin}/pgrep rCx -> pgrep,

  # no new privs
-  #/{usr/,}bin/systemctl              rCx -> systemctl,
-  /{usr/,}bin/systemctl rix,
-  /{usr/,}{s,}bin/runlevel rix,
+  #@{bin}/systemctl              rCx -> systemctl,
+  @{bin}/systemctl rix,
+  @{bin}/runlevel rix,
  include <abstractions/wutmp>
  ptrace (read),
  capability sys_ptrace,
@ -90,7 +90,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
    capability sys_ptrace,
    ptrace (read),

-    /{usr/,}bin/systemctl mr,
+    @{bin}/systemctl mr,

    owner @{PROC}/@{pid}/stat r,
          @{PROC}/1/environ r,
@ -106,7 +106,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
  profile pgrep {
    include <abstractions/base>

-    /{usr/,}bin/pgrep mr,
+    @{bin}/pgrep mr,

    # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
         @{PROC}/ r,