From fd17a77b179bde3eea91b4ad43b3032d0a8e4f88 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 21:27:57 +0200 Subject: [PATCH] feat(profile): use @{sbin} for all program inside /usr/sbin. --- apparmor.d/abstractions/app/kmod | 14 +++--- .../abstractions/authentication.d/complete | 2 +- apparmor.d/groups/_full/systemd | 2 +- apparmor.d/groups/_full/systemd-service | 6 +-- apparmor.d/groups/apparmor/aa-enforce | 4 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-status | 2 +- apparmor.d/groups/apparmor/aa-teardown | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- apparmor.d/groups/apparmor/apparmor.systemd | 6 +-- apparmor.d/groups/apparmor/apparmor_parser | 2 +- apparmor.d/groups/apt/apt | 4 +- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- apparmor.d/groups/apt/querybts | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 4 +- apparmor.d/groups/bluetooth/blueman-mechanism | 6 +-- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-anacron | 2 +- apparmor.d/groups/cron/cron-apt | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 2 +- apparmor.d/groups/cron/cron-cracklib | 2 +- apparmor.d/groups/cron/cron-exim4-base | 4 +- .../groups/cron/cron-ipset-autoban-save | 2 +- apparmor.d/groups/cron/cron-logrotate | 2 +- apparmor.d/groups/cron/cron-man-db | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- .../groups/cron/cron-popularity-contest | 6 +-- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/cups/cupsd | 4 +- apparmor.d/groups/filesystem/fsck.btrfs | 2 +- apparmor.d/groups/filesystem/fsck.fat | 2 +- apparmor.d/groups/filesystem/lvm | 2 +- apparmor.d/groups/filesystem/lvmconfig | 2 +- apparmor.d/groups/filesystem/lvmdump | 2 +- apparmor.d/groups/filesystem/lvmpolld | 2 +- apparmor.d/groups/filesystem/mke2fs | 4 +- apparmor.d/groups/filesystem/mkfs-btrfs | 2 +- apparmor.d/groups/filesystem/mkswap | 2 +- apparmor.d/groups/filesystem/mount-cifs | 2 +- apparmor.d/groups/filesystem/ntfsclone | 2 +- apparmor.d/groups/filesystem/ntfscp | 2 +- apparmor.d/groups/filesystem/ntfslabel | 2 +- apparmor.d/groups/filesystem/ntfsresize | 2 +- apparmor.d/groups/filesystem/ntfsundelete | 2 +- apparmor.d/groups/filesystem/udisksd | 16 +++---- apparmor.d/groups/filesystem/umount.udisks2 | 2 +- apparmor.d/groups/firewall/firewalld | 14 +++--- apparmor.d/groups/firewall/nft | 2 +- apparmor.d/groups/firewall/ufw | 6 +-- apparmor.d/groups/firewall/ufw-init | 6 +-- apparmor.d/groups/flatpak/flatpak-app | 2 +- apparmor.d/groups/freedesktop/accounts-daemon | 8 ++-- apparmor.d/groups/freedesktop/plymouthd | 2 +- .../groups/freedesktop/update-mime-database | 2 +- apparmor.d/groups/gnome/gnome-control-center | 4 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-macbless | 2 +- apparmor.d/groups/grub/grub-mkconfig | 6 +-- apparmor.d/groups/grub/grub-mkdevicemap | 2 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/grub/grub-probe | 4 +- apparmor.d/groups/grub/grub-reboot | 2 +- apparmor.d/groups/grub/grub-set-default | 2 +- apparmor.d/groups/grub/update-grub | 4 +- apparmor.d/groups/kde/kauth-kded-smart-helper | 2 +- .../kde/kauth-kinfocenter-dmidecode-helper | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 8 ++-- apparmor.d/groups/network/dhcpcd | 4 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/iwd | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/nm-dispatcher | 4 +- apparmor.d/groups/network/nm-openvpn-service | 2 +- apparmor.d/groups/network/openvpn | 12 ++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 4 +- apparmor.d/groups/network/wg-quick | 12 ++--- apparmor.d/groups/pacman/mkinitcpio | 6 +-- apparmor.d/groups/pacman/pacman | 18 ++++---- apparmor.d/groups/pacman/pacman-hook-depmod | 2 +- apparmor.d/groups/pacman/pacman-hook-dkms | 2 +- apparmor.d/groups/procps/sysctl | 2 +- apparmor.d/groups/shadow/chpasswd | 2 +- apparmor.d/groups/shadow/groupadd | 2 +- apparmor.d/groups/shadow/groupdel | 2 +- apparmor.d/groups/shadow/groupmod | 2 +- apparmor.d/groups/shadow/grpck | 2 +- apparmor.d/groups/shadow/pwck | 2 +- apparmor.d/groups/shadow/useradd | 4 +- apparmor.d/groups/shadow/userdel | 2 +- apparmor.d/groups/shadow/usermod | 2 +- apparmor.d/groups/snap/snapd | 12 ++--- apparmor.d/groups/snap/snapd-apparmor | 2 +- apparmor.d/groups/ssh/sshd | 4 +- apparmor.d/groups/steam/steam | 4 +- apparmor.d/groups/steam/steam-game-proton | 4 +- apparmor.d/groups/systemd/systemd-dissect | 2 +- apparmor.d/groups/systemd/systemd-fsck | 6 +-- .../systemd/systemd-generator-ds-identify | 2 +- apparmor.d/groups/systemd/systemd-homed | 6 +-- apparmor.d/groups/systemd/systemd-makefs | 4 +- .../groups/systemd/systemd-sulogin-shell | 2 +- apparmor.d/groups/systemd/systemd-udevd | 8 ++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- .../groups/ubuntu/subiquity-console-conf | 4 +- .../groups/ubuntu/update-motd-fsck-at-reboot | 2 +- apparmor.d/groups/utils/agetty | 2 +- apparmor.d/groups/utils/blkid | 2 +- apparmor.d/groups/utils/blockdev | 2 +- apparmor.d/groups/utils/fsck | 6 +-- apparmor.d/groups/utils/fstrim | 2 +- apparmor.d/groups/utils/locale-gen | 2 +- apparmor.d/groups/utils/losetup | 2 +- apparmor.d/groups/utils/nologin | 2 +- apparmor.d/groups/utils/su | 2 +- apparmor.d/groups/utils/sulogin | 2 +- apparmor.d/groups/utils/swaplabel | 2 +- apparmor.d/groups/utils/swapon | 2 +- apparmor.d/groups/utils/uuidd | 2 +- apparmor.d/groups/utils/zramctl | 2 +- apparmor.d/groups/virt/cni-portmap | 2 +- apparmor.d/groups/virt/cockpit-bridge | 4 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/containerd | 2 +- apparmor.d/groups/virt/dockerd | 4 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/groups/virt/libvirt-dbus | 4 +- apparmor.d/groups/virt/libvirtd | 20 ++++---- apparmor.d/groups/virt/virt-aa-helper | 2 +- apparmor.d/groups/virt/virtlockd | 2 +- apparmor.d/groups/virt/virtlogd | 2 +- apparmor.d/groups/virt/virtnetworkd | 2 +- apparmor.d/groups/virt/xtables | 2 +- apparmor.d/groups/whonix/pam-info | 2 +- apparmor.d/groups/whonix/whonix-firewalld | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 4 +- apparmor.d/profiles-a-f/acpid | 2 +- apparmor.d/profiles-a-f/adduser | 10 ++-- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/alsactl | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 4 +- apparmor.d/profiles-a-f/auditctl | 2 +- apparmor.d/profiles-a-f/auditd | 2 +- apparmor.d/profiles-a-f/augenrules | 4 +- apparmor.d/profiles-a-f/badblocks | 2 +- apparmor.d/profiles-a-f/biosdecode | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 6 +-- apparmor.d/profiles-a-f/borg | 2 +- apparmor.d/profiles-a-f/briar-desktop | 2 +- apparmor.d/profiles-a-f/calibre | 2 +- apparmor.d/profiles-a-f/cfdisk | 2 +- apparmor.d/profiles-a-f/cgdisk | 2 +- apparmor.d/profiles-a-f/check-bios-nx | 4 +- .../profiles-a-f/check-support-status-hook | 6 +-- apparmor.d/profiles-a-f/cracklib-packer | 2 +- apparmor.d/profiles-a-f/deluser | 6 +-- apparmor.d/profiles-a-f/dhclient-script | 6 +-- apparmor.d/profiles-a-f/dkms | 4 +- apparmor.d/profiles-a-f/dkms-autoinstaller | 2 +- apparmor.d/profiles-a-f/dmeventd | 2 +- apparmor.d/profiles-a-f/dmidecode | 2 +- apparmor.d/profiles-a-f/dmsetup | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/dumpe2fs | 2 +- apparmor.d/profiles-a-f/e2fsck | 4 +- apparmor.d/profiles-a-f/e2image | 2 +- apparmor.d/profiles-a-f/e2scrub_all | 2 +- apparmor.d/profiles-a-f/f3fix | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 4 +- apparmor.d/profiles-a-f/fatlabel | 2 +- apparmor.d/profiles-a-f/fatresize | 2 +- apparmor.d/profiles-a-f/fdisk | 2 +- apparmor.d/profiles-a-f/finalrd | 2 +- apparmor.d/profiles-a-f/firecfg | 2 +- apparmor.d/profiles-a-f/frontend | 6 +-- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/gdisk | 2 +- apparmor.d/profiles-g-l/gparted | 8 ++-- apparmor.d/profiles-g-l/gpartedbin | 46 +++++++++---------- apparmor.d/profiles-g-l/gsmartcontrol | 4 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hdparm | 2 +- apparmor.d/profiles-g-l/hw-probe | 30 ++++++------ apparmor.d/profiles-g-l/hwinfo | 2 +- apparmor.d/profiles-g-l/hypnotix | 2 +- apparmor.d/profiles-g-l/ifconfig | 2 +- apparmor.d/profiles-g-l/ifup | 8 ++-- apparmor.d/profiles-g-l/initd-kexec | 2 +- apparmor.d/profiles-g-l/initd-kexec-load | 2 +- apparmor.d/profiles-g-l/inxi | 10 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/iw | 2 +- apparmor.d/profiles-g-l/iwconfig | 2 +- apparmor.d/profiles-g-l/iwlist | 2 +- apparmor.d/profiles-g-l/kexec | 2 +- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/kodi | 2 +- apparmor.d/profiles-g-l/kvm-ok | 4 +- apparmor.d/profiles-g-l/logrotate | 4 +- apparmor.d/profiles-m-r/mkinitramfs | 8 ++-- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-m-r/monitorix | 4 +- apparmor.d/profiles-m-r/mpsyt | 2 +- apparmor.d/profiles-m-r/needrestart | 4 +- .../profiles-m-r/needrestart-apt-pinvoke | 2 +- .../needrestart-iucode-scan-versions | 2 +- apparmor.d/profiles-m-r/on-ac-power | 2 +- apparmor.d/profiles-m-r/os-prober | 6 +-- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 4 +- apparmor.d/profiles-m-r/parted | 4 +- apparmor.d/profiles-m-r/partprobe | 4 +- apparmor.d/profiles-m-r/pass-import | 2 +- apparmor.d/profiles-m-r/pcscd | 2 +- apparmor.d/profiles-m-r/rdmsr | 2 +- apparmor.d/profiles-m-r/resize2fs | 2 +- apparmor.d/profiles-m-r/resolvconf | 2 +- apparmor.d/profiles-m-r/rfkill | 2 +- apparmor.d/profiles-m-r/rsyslogd | 2 +- apparmor.d/profiles-m-r/rtkitctl | 2 +- apparmor.d/profiles-m-r/run-parts | 8 ++-- apparmor.d/profiles-m-r/runuser | 2 +- apparmor.d/profiles-s-z/sensors-detect | 2 +- apparmor.d/profiles-s-z/setvtrgb | 2 +- apparmor.d/profiles-s-z/sfdisk | 2 +- apparmor.d/profiles-s-z/sgdisk | 2 +- apparmor.d/profiles-s-z/smartctl | 2 +- apparmor.d/profiles-s-z/smartd | 2 +- .../profiles-s-z/spectre-meltdown-checker | 4 +- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/thermald | 2 +- apparmor.d/profiles-s-z/tlp | 6 +-- apparmor.d/profiles-s-z/tomb | 14 +++--- apparmor.d/profiles-s-z/torsocks | 2 +- .../profiles-s-z/udev-bcache-export-cached | 2 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 +- .../profiles-s-z/update-ca-certificates | 2 +- apparmor.d/profiles-s-z/update-cracklib | 6 +-- apparmor.d/profiles-s-z/update-initramfs | 4 +- apparmor.d/profiles-s-z/update-pciids | 2 +- .../profiles-s-z/update-secureboot-policy | 2 +- apparmor.d/profiles-s-z/update-smart-drivedb | 4 +- apparmor.d/profiles-s-z/updatedb-mlocate | 2 +- apparmor.d/profiles-s-z/veracrypt | 8 ++-- apparmor.d/profiles-s-z/vidcutter | 2 +- apparmor.d/profiles-s-z/virt-manager | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/whdd | 2 +- apparmor.d/profiles-s-z/wpa-action | 6 +-- apparmor.d/profiles-s-z/wpa-cli | 4 +- apparmor.d/profiles-s-z/wpa-supplicant | 2 +- apparmor.d/profiles-s-z/wrmsr | 2 +- apparmor.d/profiles-s-z/youtube-dl | 2 +- apparmor.d/profiles-s-z/ytdl | 2 +- apparmor.d/profiles-s-z/zsysd | 2 +- 270 files changed, 475 insertions(+), 475 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 25a0c0c38..86bb7d78a 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,13 +7,13 @@ include - @{bin}/depmod mr, - @{bin}/insmod mr, - @{bin}/kmod mr, - @{bin}/lsmod mr, - @{bin}/modinfo mr, - @{bin}/modprobe mr, - @{bin}/rmmod mr, + @{sbin}/depmod mr, + @{sbin}/insmod mr, + @{bin}/kmod mr, + @{sbin}/lsmod mr, + @{sbin}/modinfo mr, + @{sbin}/modprobe mr, + @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 450fa84d4..a4ed65e8c 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -6,7 +6,7 @@ @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, #aa:only abi3 - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, #aa:only whonix @{lib}/security-misc/pam-abort-on-locked-password rPx, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d3a193244..827e9fcf7 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -173,7 +173,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { # Shell based systemd unit services # TODO: create unit profile for all of them - @{bin}/ldconfig Px -> systemd-service, + @{sbin}/ldconfig Px -> systemd-service, @{bin}/mandb Px -> systemd-service, @{bin}/savelog Px -> systemd-service, @{coreutils_path} Px -> systemd-service, diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index dfe3000bc..a53193cc5 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -21,7 +21,7 @@ profile systemd-service flags=(attach_disconnected) { capability chown, capability fsetid, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/savelog rix, @{bin}/systemctl rix, @{bin}/gzip rix, @@ -32,8 +32,8 @@ profile systemd-service flags=(attach_disconnected) { @{bin}/ifup rPx, # shadow.service - @{bin}/pwck rPx, - @{bin}/grpck rPx, + @{sbin}/pwck rPx, + @{sbin}/grpck rPx, @{bin}/grub-editenv rPx, @{bin}/ibus-daemon rPx, diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index da4d63460..fcf7dc724 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable +@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable profile aa-enforce @{exec_path} { include include @@ -17,7 +17,7 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, @{bin}/ r, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 31622c1bd..c6fc2dff2 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -89,7 +89,7 @@ profile aa-notify @{exec_path} { ptrace read peer=aa-notify, - @{bin}/apparmor_parser Px, + @{sbin}/apparmor_parser Px, @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, /usr/share/apparmor/** r, diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index a48dc693c..17de74439 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status +@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status profile aa-status @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-teardown b/apparmor.d/groups/apparmor/aa-teardown index b625ad8c6..059766181 100644 --- a/apparmor.d/groups/apparmor/aa-teardown +++ b/apparmor.d/groups/apparmor/aa-teardown @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-teardown +@{exec_path} = @{sbin}/aa-teardown profile aa-teardown @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 08c401270..7c53f7c8d 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-unconfined +@{exec_path} = @{sbin}/aa-unconfined profile aa-unconfined @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index 79b3f1a86..cb862ff48 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/aa-status rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/aa-status rPx, + @{sbin}/apparmor_parser rPx, @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index dc15d48b9..0a9f9fcaf 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -8,7 +8,7 @@ include @{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} -@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser +@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index fc5d1b3cc..5c33a1866 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include include @@ -80,7 +80,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, @{bin}/localepurge rPx, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 29a1309c7..eb8a8cd8d 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, @{bin}/localepurge rPx, @{bin}/appstreamcli rPx, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index c71d9749c..ef7852863 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dpkg-preconfigure +@{exec_path} = @{sbin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 85bd2e6c3..2a2063d8e 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -31,7 +31,7 @@ profile querybts @{exec_path} { @{bin}/ r, @{sh_path} rix, @{bin}/stty rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{open_path} rPx -> child-open-browsers, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ae2e64e5d..dbd02ff6c 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -30,7 +30,7 @@ profile reportbug @{exec_path} { @{bin}/ r, @{python_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/selinuxenabled rix, @{sh_path} rix, @{bin}/aa-enabled rix, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 58224dd45..651fac1ba 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -45,7 +45,7 @@ profile synaptic @{exec_path} { @{bin}/deborphan rPx, @{bin}/debtags rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index bee1c0fe8..2778b2b39 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -51,10 +51,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/apt-listchanges rPx, @{bin}/dpkg rPx, @{bin}/dpkg-divert rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/sendmail rPUx, @{lib}/apt/methods/http{,s} rPx, @{lib}/needrestart/apt-pinvoke rPx, diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism index bb6c6cdf7..ffdda336e 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -36,9 +36,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #@{bin}/ip rix, - #@{bin}/xtables-nft-multi rix, - #@{bin}/dnsmasq rPx, + #@{sbin}/ip rix, + #@{sbin}/xtables-nft-multi rix, + #@{sbin}/dnsmasq rPx, #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index a561954a3..7d1be8442 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, @{bin}/speech-dispatcher rPx, - @{bin}/update-mime-database rPx, + @{sbin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 57c2ed4b8..1322108d4 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/anacron +@{exec_path} = @{sbin}/anacron profile anacron @{exec_path} { include include diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 25549a39c..c92441568 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cron +@{exec_path} = @{sbin}/cron profile cron @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index 15d1b9737..91c531618 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} { @{exec_path} r, - @{bin}/anacron rPx, + @{sbin}/anacron rPx, @{sh_path} rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 29294fa53..81e5761d7 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cron-apt +@{exec_path} = @{sbin}/cron-apt profile cron-apt @{exec_path} { include include diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 2aaa6b142..fcf5e4430 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/apt-config rPx, @{lib}/apt/apt.systemd.daily rPx, diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 2c3f90a9a..f264de78c 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -22,7 +22,7 @@ profile cron-apt-xapian-index @{exec_path} { @{bin}/ r, @{bin}/update-apt-xapian-index rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index ede030682..9399b6ed4 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -15,7 +15,7 @@ profile cron-cracklib @{exec_path} { @{sh_path} rix, @{bin}/logger rix, - @{bin}/update-cracklib rPx, + @{sbin}/update-cracklib rPx, /etc/cracklib/cracklib.conf r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 42f2f0823..2970f8d42 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -39,8 +39,8 @@ profile cron-exim4-base @{exec_path} { @{bin}/exim4 rPx, @{bin}/exim_tidydb rix, - @{bin}/start-stop-daemon rix, - @{bin}/runuser rix, + @{sbin}/start-stop-daemon rix, + @{sbin}/runuser rix, /etc/default/exim4 r, diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 601368446..8b5891eed 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index abe3542f6..36044b2f3 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/logrotate rPx, + @{sbin}/logrotate rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 8629f7be2..709f843e8 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/start-stop-daemon rix, + @{sbin}/start-stop-daemon rix, @{bin}/xargs rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index 852e85141..f0757187a 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.mlocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/mlocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 7080658c3..742531b41 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.plocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/plocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 21455fb7d..c4b9de0b3 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} { # To send reports via TOR @{bin}/torify rix, @{bin}/torsocks rix, - @{bin}/getcap rix, + @{sbin}/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/savelog rCx -> savelog, /usr/share/popularity-contest/ r, @@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} { include include - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, @{bin}/popularity-contest rPx, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index d240454f5..156d5e820 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/crontab +@{exec_path} = @{sbin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 41d22ed9b..f671ce6e9 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cups-browsed +@{exec_path} = @{sbin}/cups-browsed profile cups-browsed @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 697a307f9..91dd32f51 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cupsd +@{exec_path} = @{sbin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{bin}/ippfind rix, + @{sbin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs index f8ac9419d..512265788 100644 --- a/apparmor.d/groups/filesystem/fsck.btrfs +++ b/apparmor.d/groups/filesystem/fsck.btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.btrfs +@{exec_path} = @{sbin}/fsck.btrfs profile fsck.btrfs @{exec_path} { include diff --git a/apparmor.d/groups/filesystem/fsck.fat b/apparmor.d/groups/filesystem/fsck.fat index fd944532f..0e7df947d 100644 --- a/apparmor.d/groups/filesystem/fsck.fat +++ b/apparmor.d/groups/filesystem/fsck.fat @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck +@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck profile fsck.fat @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index 4fb66d92c..ad4645bff 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvm +@{exec_path} = @{sbin}/lvm profile lvm @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/filesystem/lvmconfig b/apparmor.d/groups/filesystem/lvmconfig index 5e5a0d1dd..39224c22f 100644 --- a/apparmor.d/groups/filesystem/lvmconfig +++ b/apparmor.d/groups/filesystem/lvmconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmconfig +@{exec_path} = @{sbin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmdump b/apparmor.d/groups/filesystem/lvmdump index 6a443fc57..5e90ffeee 100644 --- a/apparmor.d/groups/filesystem/lvmdump +++ b/apparmor.d/groups/filesystem/lvmdump @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmdump +@{exec_path} = @{sbin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld index fdc3bad3f..4168ad4fe 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmpolld +@{exec_path} = @{sbin}/lvmpolld profile lvmpolld @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index 56a223bdd..a3edbeb50 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4 +@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include include @@ -19,7 +19,7 @@ profile mke2fs @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/groups/filesystem/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs index 1e6c95838..54c83e559 100644 --- a/apparmor.d/groups/filesystem/mkfs-btrfs +++ b/apparmor.d/groups/filesystem/mkfs-btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkfs.btrfs +@{exec_path} = @{sbin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/groups/filesystem/mkswap index 4a818cd58..fa30030f3 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkswap +@{exec_path} = @{sbin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mount-cifs b/apparmor.d/groups/filesystem/mount-cifs index cf1ceefb3..a6c8d01e3 100644 --- a/apparmor.d/groups/filesystem/mount-cifs +++ b/apparmor.d/groups/filesystem/mount-cifs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mount.cifs +@{exec_path} = @{sbin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/filesystem/ntfsclone b/apparmor.d/groups/filesystem/ntfsclone index c239e81af..c6443bf7a 100644 --- a/apparmor.d/groups/filesystem/ntfsclone +++ b/apparmor.d/groups/filesystem/ntfsclone @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsclone +@{exec_path} = @{sbin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfscp b/apparmor.d/groups/filesystem/ntfscp index 2e36046ba..f3bc38b6a 100644 --- a/apparmor.d/groups/filesystem/ntfscp +++ b/apparmor.d/groups/filesystem/ntfscp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfscp +@{exec_path} = @{sbin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfslabel b/apparmor.d/groups/filesystem/ntfslabel index 471aefaa1..5d4089a44 100644 --- a/apparmor.d/groups/filesystem/ntfslabel +++ b/apparmor.d/groups/filesystem/ntfslabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfslabel +@{exec_path} = @{sbin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsresize b/apparmor.d/groups/filesystem/ntfsresize index 5c7d5c835..3eac37d70 100644 --- a/apparmor.d/groups/filesystem/ntfsresize +++ b/apparmor.d/groups/filesystem/ntfsresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsresize +@{exec_path} = @{sbin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsundelete b/apparmor.d/groups/filesystem/ntfsundelete index 4d96d1dbd..9f68cba7a 100644 --- a/apparmor.d/groups/filesystem/ntfsundelete +++ b/apparmor.d/groups/filesystem/ntfsundelete @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsundelete +@{exec_path} = @{sbin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index f661ccd12..7d4febb1f 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -73,18 +73,18 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/umount rix, - @{bin}/dmidecode rPx, - @{bin}/dumpe2fs rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dumpe2fs rPx, @{bin}/eject rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, + @{sbin}/fsck.fat rPx, + @{sbin}/lvm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, - @{bin}/sfdisk rPx, - @{bin}/sgdisk rPx, + @{sbin}/sfdisk rPx, + @{sbin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, @{bin}/xfs_* rPUx, diff --git a/apparmor.d/groups/filesystem/umount.udisks2 b/apparmor.d/groups/filesystem/umount.udisks2 index 4e842c7fb..752a1d5d3 100644 --- a/apparmor.d/groups/filesystem/umount.udisks2 +++ b/apparmor.d/groups/filesystem/umount.udisks2 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/umount.udisks2 +@{exec_path} = @{sbin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 003089ca4..7a6b7a9cf 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/firewalld +@{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include include @@ -34,14 +34,14 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/alts rix, - @{bin}/ebtables-legacy rix, - @{bin}/ebtables-legacy-restore rix, + @{sbin}/ebtables-legacy rix, + @{sbin}/ebtables-legacy-restore rix, @{bin}/false rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, @{bin}/kmod rix, - @{bin}/modprobe rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rmix, + @{sbin}/modprobe rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rmix, /usr/local/lib/@{python_name}/dist-packages/ r, diff --git a/apparmor.d/groups/firewall/nft b/apparmor.d/groups/firewall/nft index 292b22043..2392829c8 100644 --- a/apparmor.d/groups/firewall/nft +++ b/apparmor.d/groups/firewall/nft @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/nft +@{exec_path} = @{sbin}/nft profile nft @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index d16675235..09f4f06f2 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -33,9 +33,9 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/cat rix, @{bin}/env r, - @{bin}/sysctl rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/sysctl rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/ufw/ufw-init rix, /etc/default/ufw rw, diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 78483a399..5c0521790 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -22,9 +22,9 @@ profile ufw-init @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/sysctl rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/sysctl rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/default/ufw r, /etc/ufw/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 397475a43..8d35bc8e0 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, + @{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, @{lib}/kf5/kioslave5 rPx, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index d3aaa753f..85e277198 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -27,13 +27,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/cat rix, @{bin}/chage rPx, @{bin}/passwd rPx, - @{bin}/chpasswd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/chpasswd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 1b004021f..0a2390661 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/plymouthd +@{exec_path} = @{sbin}/plymouthd profile plymouthd @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 9efd9cccc..6f6b39700 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-mime-database +@{exec_path} = @{sbin}/update-mime-database profile update-mime-database @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 07f6a0599..994c8e445 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -60,11 +60,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index e52e96b8a..06fdf1601 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-install +@{exec_path} = @{sbin}/grub-install profile grub-install @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index c2571ea73..17e71a25c 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-macbless +@{exec_path} = @{sbin}/grub-macbless profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 1ff23f1fe..0ca05d549 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include @@ -27,14 +27,14 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPUx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 533f9780b..2a7082c64 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-mkdevicemap +@{exec_path} = @{sbin}/grub-mkdevicemap profile grub-mkdevicemap @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 94c4c7e2b..d147b94fb 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} { @{exec_path} mr, - @{bin}/grub-install rPx, + @{sbin}/grub-install rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 3c22c2d27..6d0ec6a72 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-probe +@{exec_path} = @{sbin}/grub-probe profile grub-probe @{exec_path} { include include @@ -20,7 +20,7 @@ profile grub-probe @{exec_path} { /{usr/,}{local/,}{s,}bin/zpool rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/udevadm rPx, /usr/share/grub/* r, diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 7d94a22af..310b416bf 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-reboot +@{exec_path} = @{sbin}/grub-reboot profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 11c78024b..9e3c96464 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-set-default +@{exec_path} = @{sbin}/grub-set-default profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 03df05295..1996b346b 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub{2,} profile update-grub @{exec_path} { include include @@ -15,7 +15,7 @@ profile update-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grub-mkconfig rPx, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 6483fe39f..cf0caffeb 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -22,7 +22,7 @@ profile kauth-kded-smart-helper @{exec_path} { @{exec_path} mr, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index 5ae1f5f12..afecd8d53 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} { @{exec_path} mr, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, include if exists } diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 2c129b426..dd3a6b42b 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -39,7 +39,7 @@ profile kscreenlocker_greet @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, /usr/share/plasma/** r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee95..0ae174b09 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{bin}/tcsh rix, + @{sbin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index b92ad8e68..1d8987709 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ModemManager +@{exec_path} = @{sbin}/ModemManager profile ModemManager @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index d41f38b1b..008b6bd31 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/NetworkManager +@{exec_path} = @{sbin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include @@ -75,12 +75,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/nft rix, + @{sbin}/nft rix, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, @{bin}/netconfig rPUx, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index c1b5d04c5..7f47b9975 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dhcpcd +@{exec_path} = @{sbin}/dhcpcd profile dhcpcd @{exec_path} flags=(attach_disconnected) { include include @@ -35,7 +35,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index 0b5bd090e..eddcaedf7 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/iwctl +@{exec_path} = @{sbin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index d3c114a43..13edaaf16 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -24,7 +24,7 @@ profile iwd @{exec_path} { network packet dgram, @{exec_path} mr, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 6c4c41e6c..ecd23ce53 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ip rix, + @{sbin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index e6150c509..726798180 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -39,7 +39,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/gawk rix, @{bin}/grep rix, @{bin}/id rix, - @{bin}/invoke-rc.d rCx -> invoke-rc, + @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -101,7 +101,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include - @{bin}/invoke-rc.d rm, + @{sbin}/invoke-rc.d rm, @{sh_path} rix, @{bin}/basename rix, @{bin}/ls rix, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 675c14679..943386f61 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} { @{sh_path} rix, @{bin}/kmod rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 608b98994..5623901fb 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -22,7 +22,7 @@ abi , include -@{exec_path} = @{bin}/openvpn +@{exec_path} = @{sbin}/openvpn profile openvpn @{exec_path} flags=(attach_disconnected) { include include @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,9 +83,9 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/which{,.debianutils} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, @@ -110,8 +110,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/ip rix, + @{sbin}/nft rix, @{bin}/sed rix, /etc/iproute2/rt_realms r, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 4e5bba684..096fe276c 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{bin}/ip rPx, + @{sbin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index ac29b0b28..fa6cd8ddd 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,9 +35,9 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/resolvectl rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index b5e8d88e8..e8ece5c88 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,19 +21,19 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/ip rPx, + @{sbin}/ip rPx, @{bin}/mv rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/resolvectl rPx, @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, @{bin}/sync rix, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, @{bin}/wg rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /usr/share/terminfo/** r, @@ -49,7 +49,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { profile sysctl flags=(attach_disconnected) { include - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index f1d4818ef..fdd9618fc 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -28,11 +28,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{bin}/fsck rix, + @{sbin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, @{bin}/objcopy rix, @@ -45,7 +45,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/{depmod,insmod} rPx, @{bin}/{kmod,lsmod} rPx, @{bin}/{modinfo,rmmod} rPx, - @{bin}/modprobe rPx, + @{sbin}/modprobe rPx, @{bin}/plymouth rPx, @{bin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 271540f52..ada70feec 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -69,35 +69,35 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/ghc-pkg-@{version} rix, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, - @{bin}/groupadd rPx, + @{sbin}/groupadd rPx, @{bin}/gtk-query-immodules-{2,3}.0 rPx, @{bin}/gtk{,4}-update-icon-cache rPx, - @{bin}/iconvconfig rix, + @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, @{bin}/install-info rPx, @{bin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, - @{bin}/ldconfig rix, - @{bin}/locale-gen rPx, + @{sbin}/ldconfig rix, + @{sbin}/locale-gen rPx, @{bin}/mkinitcpio rPx, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/pacdiff rPx, @{bin}/pacman-key rPx, @{bin}/pkgfile rPUx, @{bin}/pkill rix, @{bin}/rsync rix, @{bin}/sbctl rPx, - @{bin}/setcap rix, + @{sbin}/setcap rix, @{bin}/setfacl rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-* rPx, @{bin}/tput rix, @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, - @{bin}/update-grub rPx, - @{bin}/update-mime-database rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 45336a100..fe1bc5781 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,7 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{bin}/depmod rPx, + @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a039db414..a8a54c151 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -19,7 +19,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/kmod rPx, @{bin}/nproc rix, diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/groups/procps/sysctl index a25414390..3131befeb 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/sysctl +@{exec_path} = @{sbin}/sysctl profile sysctl @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/groups/shadow/chpasswd index 0dc65b1fb..5e84f31b4 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/chpasswd +@{exec_path} = @{sbin}/chpasswd profile chpasswd @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupadd b/apparmor.d/groups/shadow/groupadd index 65e735605..2d135007a 100644 --- a/apparmor.d/groups/shadow/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupadd +@{exec_path} = @{sbin}/groupadd profile groupadd @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupdel b/apparmor.d/groups/shadow/groupdel index 734b22463..8f8b28239 100644 --- a/apparmor.d/groups/shadow/groupdel +++ b/apparmor.d/groups/shadow/groupdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupdel +@{exec_path} = @{sbin}/groupdel profile groupdel @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupmod b/apparmor.d/groups/shadow/groupmod index 01841483e..34bf046cd 100644 --- a/apparmor.d/groups/shadow/groupmod +++ b/apparmor.d/groups/shadow/groupmod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupmod +@{exec_path} = @{sbin}/groupmod profile groupmod @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/grpck b/apparmor.d/groups/shadow/grpck index 3b820febb..1e47307e4 100644 --- a/apparmor.d/groups/shadow/grpck +++ b/apparmor.d/groups/shadow/grpck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grpck +@{exec_path} = @{sbin}/grpck profile grpck @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/pwck b/apparmor.d/groups/shadow/pwck index 6aef4d028..456a15af4 100644 --- a/apparmor.d/groups/shadow/pwck +++ b/apparmor.d/groups/shadow/pwck @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pwck +@{exec_path} = @{sbin}/pwck profile pwck @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/groups/shadow/useradd index 021ede783..b10487cf2 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/useradd +@{exec_path} = @{sbin}/useradd profile useradd @{exec_path} { include include @@ -25,7 +25,7 @@ profile useradd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/groups/shadow/userdel index afaa52a03..589c726d0 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/userdel +@{exec_path} = @{sbin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/usermod b/apparmor.d/groups/shadow/usermod index 1e5c6e4eb..b59260a25 100644 --- a/apparmor.d/groups/shadow/usermod +++ b/apparmor.d/groups/shadow/usermod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/usermod +@{exec_path} = @{sbin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index cbaa8bce9..b3ee8a5da 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -65,17 +65,17 @@ profile snapd @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/adduser rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/adduser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/cp rix, @{bin}/getent rix, - @{bin}/groupadd rPx, + @{sbin}/groupadd rPx, @{bin}/gzip rix, @{bin}/hostnamectl rPx, @{bin}/journalctl rPx, @{bin}/kmod rPx, @{bin}/mount rix, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/ssh-keygen rPx, @{bin}/sync rix, @{bin}/systemctl rCx -> systemctl, @@ -85,7 +85,7 @@ profile snapd @{exec_path} { @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, - @{bin}/useradd rPx, + @{sbin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -201,7 +201,7 @@ profile snapd @{exec_path} { profile runuser { include - @{bin}/runuser mr, + @{sbin}/runuser mr, include if exists } diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 6d873982b..63251a976 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -15,7 +15,7 @@ profile snapd-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a7d9a6699..3ae1326d8 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -15,7 +15,7 @@ abi , include -@{exec_path} = @{bin}/sshd +@{exec_path} = @{sbin}/sshd profile sshd @{exec_path} flags=(attach_disconnected) { include include @@ -62,7 +62,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{bin}/false rix, - @{bin}/nologin rPx, + @{sbin}/nologin rPx, @{bin}/passwd rPx, @{lib}/{openssh,ssh}/sftp-server rPx, @{lib}/{openssh,ssh}/sshd-session rix, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index a29a39687..73c78f2ed 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -67,7 +67,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @@ -276,7 +276,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/localedef rix, @{bin}/readlink rix, @{bin}/true rix, diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index de0b0a295..1b094c2a3 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -43,7 +43,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ln rix, @{bin}/localedef rix, @{bin}/mkdir rix, @@ -71,7 +71,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{app_dirs}/** mrix, - @{run}/host/@{bin}/ldconfig rix, + @{run}/host/@{sbin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @{run}/host/@{lib}/** mr, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 7dc10fd46..0381b93b1 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -31,7 +31,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{pager_path} rPx -> child-pager, # Location of file system OS images diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index 0680e0be8..4836c9747 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck rPx, + @{sbin}/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index d9a6639c1..346e7d94e 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -17,7 +17,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/blkid rPx, + @{sbin}/blkid rPx, @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a24858125..a89cd90f8 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -42,9 +42,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, - @{bin}/mkfs.btrfs rPx, - @{bin}/mkfs.fat rPx, - @{bin}/mke2fs rPx, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, /etc/machine-id r, /etc/systemd/homed.conf r, diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 8556e51d7..74a824411 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, - @{bin}/mkfs.* rPx, - @{bin}/mkswap rPx, + @{sbin}/mkfs.* rPx, + @{sbin}/mkswap rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index d28531e56..5ccf33219 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -18,7 +18,7 @@ profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/sulogin rPx, + @{sbin}/sulogin rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 9e81cec83..03bfd6000 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -41,15 +41,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{pager_path} rPx -> child-pager, @{bin}/*-print-pci-ids rix, - @{bin}/alsactl rPUx, + @{sbin}/alsactl rPUx, @{bin}/ddcutil rPx, - @{bin}/dmsetup rPx, - @{bin}/ethtool rix, + @{sbin}/dmsetup rPx, + @{sbin}/ethtool rix, @{bin}/issue-generator rPx, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mknod rix, @{bin}/multipath rPx, @{bin}/nfsrahead rix, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0121dd46d..15c7f27ad 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -43,7 +43,7 @@ profile apport-gtk @{exec_path} { @{bin}/gsettings rPx, @{bin}/ischroot rix, @{bin}/journalctl rPx, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index c5c31edd3..eb299345c 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -19,7 +19,7 @@ profile cron-ubuntu-fan @{exec_path} { @{bin}/flock rix, @{bin}/grep rix, @{bin}/id rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, @{bin}/touch rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 58323b8ff..575481de2 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, @@ -35,7 +35,7 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, - @{bin}/sshd rPx, + @{sbin}/sshd rPx, @{bin}/snap rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx, /usr/share/netplan/netplan.script rPUx, # TODO: rPx, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 77b24fa27..0573f38bf 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -12,7 +12,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{bin}/dumpe2fs rPx, + @{sbin}/dumpe2fs rPx, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/groups/utils/agetty index 3eca54abc..9ae450196 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/groups/utils/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/agetty +@{exec_path} = @{sbin}/agetty profile agetty @{exec_path} { include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 27207bdb7..3eee035fe 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blkid +@{exec_path} = @{sbin}/blkid profile blkid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/blockdev b/apparmor.d/groups/utils/blockdev index 96e3ad23f..0c5e7b17c 100644 --- a/apparmor.d/groups/utils/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blockdev +@{exec_path} = @{sbin}/blockdev profile blockdev @{exec_path} { include include diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/groups/utils/fsck index 5d0588026..40694aff9 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/groups/utils/fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck +@{exec_path} = @{sbin}/fsck profile fsck @{exec_path} flags=(attach_disconnected) { include include @@ -18,8 +18,8 @@ profile fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck.* rPx, /etc/fstab r, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index 211913f41..a6ada04d5 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/fstrim +@{exec_path} = @{sbin}/fstrim profile fstrim @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index b9254171a..3620018a7 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/locale-gen +@{exec_path} = @{sbin}/locale-gen profile locale-gen @{exec_path} { include include diff --git a/apparmor.d/groups/utils/losetup b/apparmor.d/groups/utils/losetup index bb0ac6c74..9b32074ba 100644 --- a/apparmor.d/groups/utils/losetup +++ b/apparmor.d/groups/utils/losetup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/losetup +@{exec_path} = @{sbin}/losetup profile losetup @{exec_path} { include include diff --git a/apparmor.d/groups/utils/nologin b/apparmor.d/groups/utils/nologin index 3ee32cf34..795a1aa35 100644 --- a/apparmor.d/groups/utils/nologin +++ b/apparmor.d/groups/utils/nologin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nologin +@{exec_path} = @{sbin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 4bd473584..81e299d23 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -22,7 +22,7 @@ profile su @{exec_path} { @{exec_path} mr, @{bin}/@{shells} rUx, - @{bin}/nologin rPx, + @{sbin}/nologin rPx, @{etc_ro}/default/su r, /etc/default/locale r, diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/groups/utils/sulogin index ccf7216e0..2af869dab 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/sulogin +@{exec_path} = @{sbin}/sulogin profile sulogin @{exec_path} { include include diff --git a/apparmor.d/groups/utils/swaplabel b/apparmor.d/groups/utils/swaplabel index 05dc5783a..16abf153d 100644 --- a/apparmor.d/groups/utils/swaplabel +++ b/apparmor.d/groups/utils/swaplabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swaplabel +@{exec_path} = @{sbin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/groups/utils/swapon b/apparmor.d/groups/utils/swapon index 83d2c6a3b..dd4aec8e2 100644 --- a/apparmor.d/groups/utils/swapon +++ b/apparmor.d/groups/utils/swapon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swapon @{bin}/swapoff +@{exec_path} = @{sbin}/swapon @{sbin}/swapoff profile swapon @{exec_path} { include include diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 4d75a70ed..0f03325c8 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/uuidd +@{exec_path} = @{sbin}/uuidd profile uuidd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index 9dbf23243..91697be73 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/zramctl +@{exec_path} = @{sbin}/zramctl profile zramctl @{exec_path} { include include diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 73ad13cb1..0f2692ecf 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -15,7 +15,7 @@ profile cni-portmap @{exec_path} { network netlink raw, @{exec_path} mr, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index a6eb80e9f..87ffb3f4a 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,13 +38,13 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{bin}/ip ix, + @{sbin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, @{bin}/chage Px, - @{bin}/dmidecode Px, + @{sbin}/dmidecode Px, @{bin}/findmnt Px, @{bin}/journalctl Px, @{bin}/last Px, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index 1de016aea..d71eb9ec1 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{bin}/ip rPx, + @{sbin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 4f73ff985..598ec7ca9 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -46,7 +46,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd-shim-runc-v2 rPx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 3f18bbdcc..6b1e3537a 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -64,7 +64,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd rPx, @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @@ -74,7 +74,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/ps rPx, @{bin}/runc rUx, @{bin}/unpigz rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 0949e72ee..2142e28b9 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -62,7 +62,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 44d24f1ae..303e906c2 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/libvirt-dbus +@{exec_path} = @{sbin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include include @@ -18,7 +18,7 @@ profile libvirt-dbus @{exec_path} { @{exec_path} mr, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 061866717..53dcb0703 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -14,7 +14,7 @@ abi , include -@{exec_path} = @{bin}/libvirtd +@{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include include @@ -103,26 +103,26 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - @{bin}/dmidecode rPx, - @{bin}/dnsmasq rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, - @{bin}/lvm rPUx, + @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, @{bin}/virtiofsd rux, # TODO: WIP - @{bin}/virtlogd rPx, + @{sbin}/virtlogd rPx, @{sh_path} rix, - @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/ip rix, + @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper - @{bin}/tc rix, + @{sbin}/tc rix, @{bin}/xmllint rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, @@ -265,7 +265,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/vhost-net rw, # Force the use of virt-aa-helper - audit deny @{bin}/apparmor_parser rwxl, + audit deny @{sbin}/apparmor_parser rwxl, audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index c10f44922..81ec217b9 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -19,7 +19,7 @@ profile virt-aa-helper @{exec_path} { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, /etc/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index ea9336cef..ef28e59e9 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlockd +@{exec_path} = @{sbin}/virtlockd profile virtlockd @{exec_path} { include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 44bf06ba0..d362ad108 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlogd +@{exec_path} = @{sbin}/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 42e13ef64..2d7df07b6 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -18,7 +18,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, /etc/libvirt/*.conf r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables index 71f75b642..a10b75dde 100644 --- a/apparmor.d/groups/virt/xtables +++ b/apparmor.d/groups/virt/xtables @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi +@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi profile xtables { include include diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 51053ccee..1cc3e7668 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -14,7 +14,7 @@ profile pam-info @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/faillock rix, + @{sbin}/faillock rix, @{bin}/grep rix, @{bin}/str_replace rix, @{bin}/wc rix, diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 01e1cb418..08322714f 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -29,7 +29,7 @@ profile whonix-firewalld @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 796194146..bf7daf85e 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -13,11 +13,11 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,}grep rix, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{bin}/shutdown rix, + @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 5bf6c433a..4985bca3a 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/acpid +@{exec_path} = @{sbin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index e1d813324..135f65067 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -33,12 +33,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, @{bin}/gpasswd rPx, - @{bin}/groupadd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupadd rPx, + @{sbin}/groupdel rPx, @{bin}/passwd rPx, - @{bin}/useradd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/useradd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 28576423d..6999f5baf 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -18,7 +18,7 @@ profile adequate @{exec_path} flags=(complain) { @{exec_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. @{bin}/ldd rCx -> ldd, diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index b2b97a62a..adf0d5cd3 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/alsactl +@{exec_path} = @{sbin}/alsactl profile alsactl @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index b3baaaa8f..a10df8394 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/aspell-autobuildhash +@{exec_path} = @{sbin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include @@ -47,7 +47,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{sh_path} rix, @{bin}/stty rix, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index d6881f3e7..762273a9f 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditctl +@{exec_path} = @{sbin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index bb2c64cee..41fb158c0 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditd +@{exec_path} = @{sbin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 7a515c1ba..5ae84876b 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/augenrules +@{exec_path} = @{sbin}/augenrules profile augenrules @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e,f}grep rix, @{bin}/{,g,m}awk rix, - @{bin}/auditctl rPx, + @{sbin}/auditctl rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index e0f686b90..ff3a710c3 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/badblocks +@{exec_path} = @{sbin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index 8010b380a..87457a129 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/biosdecode +@{exec_path} = @{sbin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 2cabb639f..f864a605b 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blkdeactivate +@{exec_path} = @{sbin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @@ -15,11 +15,11 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, @{sh_path} rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPUx, @{bin}/grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index ff3f8b43a..6d2683ade 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -31,7 +31,7 @@ profile borg @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, @{bin}/ccache rCx -> ccache, diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index 9ea7a824c..1cfda03d9 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -80,7 +80,7 @@ profile briar-desktop @{exec_path} { profile jspawnhelper flags=(attach_disconnected) { include - @{bin}/ldconfig ix, + @{sbin}/ldconfig ix, owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, @{system_share_dirs}/java/briar-desktop.jar r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 6d71ed28d..e3643ab6d 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -48,7 +48,7 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, @{bin}/file rix, - @{bin}/ldconfig{,.real} rix, + @{sbin}/ldconfig{,.real} rix, @{bin}/uname rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 9cacb9324..ee8d277f2 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cfdisk +@{exec_path} = @{sbin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 0f91c1e85..8f3f11af0 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cgdisk +@{exec_path} = @{sbin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 775e3f640..965e0dc3a 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/check-bios-nx +@{exec_path} = @{sbin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 4c805b9b1..39f30c5fe 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -24,10 +24,10 @@ profile check-support-status-hook @{exec_path} { @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/check-support-status rPx, @{bin}/debconf-escape rCx -> debconf-escape, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -111,7 +111,7 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index cc183f527..4db396fa0 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cracklib-packer +@{exec_path} = @{sbin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1c5185833..5262e9065 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -20,11 +20,11 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/crontab rPx, + @{sbin}/crontab rPx, @{bin}/gpasswd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, - @{bin}/userdel rPx, + @{sbin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index b650498cf..d5505ff86 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -36,11 +36,11 @@ profile dhclient-script @{exec_path} { @{bin}/ping rPx, @{bin}/printenv rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rix, @{bin}/tr rix, @{bin}/xxd rix, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 75487fbec..0a01e5db5 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/dkms +@{exec_path} = @{sbin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -43,7 +43,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/update-secureboot-policy rPUx, + @{sbin}/update-secureboot-policy rPUx, @{bin}/zstd rix, @{lib}/gcc/@{multiarch}/@{version}/* rix, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index ffce30921..2d799987f 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -15,7 +15,7 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 0484cf99d..984545508 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dmeventd +@{exec_path} = @{sbin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index aba455535..680d25992 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dmidecode +@{exec_path} = @{sbin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index b5a1f3ab7..eb9d1dc19 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dmsetup +@{exec_path} = @{sbin}/dmsetup profile dmsetup @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 065fe92c5..eecdb2e6d 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -32,7 +32,7 @@ profile dropbox @{exec_path} { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/uname rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/python3.@{int} rix, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index eb3d4d61a..a4184a358 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus +@{exec_path} = @{sbin}/dumpe2fs @{sbin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index be5d26b9f..c120a3590 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 +@{exec_path} = @{sbin}/e2fsck @{sbin}/fsck.ext2 @{sbin}/fsck.ext3 @{sbin}/fsck.ext4 profile e2fsck @{exec_path} { include include @@ -21,7 +21,7 @@ profile e2fsck @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index b099f1ccf..c7238f262 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2image +@{exec_path} = @{sbin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 25fab12c7..af10dddcd 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/e2scrub_all +@{exec_path} = @{sbin}/e2scrub_all profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index 4d743fbb7..a2cfe43c5 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -21,7 +21,7 @@ profile f3fix @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 2506b1db9..21d2a1cf8 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -20,8 +20,8 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/xtables-nft-multi rix, - @{bin}/iptables rix, + @{sbin}/xtables-nft-multi rix, + @{sbin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index c7ac0d399..c8bdedaa3 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatlabel +@{exec_path} = @{sbin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index e299a109b..8db6bde6f 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -21,7 +21,7 @@ profile fatresize @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index e6a7aeebf..bab152574 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fdisk +@{exec_path} = @{sbin}/fdisk profile fdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index bb68e873e..74c6ad3b1 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -25,7 +25,7 @@ profile finalrd @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/grep rix, - @{bin}/ldconfig{,.real} rix, + @{sbin}/ldconfig{,.real} rix, @{bin}/ln rix, @{bin}/mkdir rix, @{bin}/mount rix, diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index a54d1c9ac..d8086715a 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -19,7 +19,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{etc_ro}/login.defs r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 3d7ee07f8..6d9502220 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -28,14 +28,14 @@ profile frontend @{exec_path} flags=(complain) { @{bin}/locale rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/stty rix, - @{bin}/update-secureboot-policy rPx, + @{sbin}/update-secureboot-policy rPx, # debconf apps @{bin}/adequate rPx, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{bin}/debconf-apt-progress rPx, @{bin}/linux-check-removal rPx, - @{bin}/pam-auth-update rPx, + @{sbin}/pam-auth-update rPx, @{bin}/ucf rPx, @{bin}/whiptail rPx, @{lib}/tasksel/tasksel-debconf rPx -> tasksel, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index e06c49b9d..1dcdf8042 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -33,7 +33,7 @@ profile gajim @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, # To play sounds diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 1357b03b6..b49e20570 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gdisk +@{exec_path} = @{sbin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index d4511c62c..d74945777 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gparted +@{exec_path} = @{sbin}/gparted profile gparted @{exec_path} flags=(attach_disconnected) { include include @@ -20,7 +20,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{sh_path} rix, - @{bin}/killall5 rCx -> killall, + @{sbin}/killall5 rCx -> killall, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -29,7 +29,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{bin}/ps rPx, @{bin}/xhost rPx, - @{bin}/gpartedbin rPx, + @{sbin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @@ -71,7 +71,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { ptrace (read), - @{bin}/killall5 mr, + @{sbin}/killall5 mr, @{PROC}/ r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 0b2fea4c3..29bac6a2f 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin +@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include @@ -30,9 +30,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, - @{bin}/blkid rPx, - @{bin}/dmidecode rPx, - @{bin}/hdparm rPx, + @{sbin}/blkid rPx, + @{sbin}/dmidecode rPx, + @{sbin}/hdparm rPx, @{bin}/kmod rPx, @{bin}/mount rCx -> mount, @@ -42,28 +42,28 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{bin}/btrfs rPx, @{bin}/btrfstune rPx, @{bin}/dmraid rPUx, - @{bin}/dmsetup rPUx, - @{bin}/dumpe2fs rPx, - @{bin}/e2fsck rPx, - @{bin}/e2image rPx, - @{bin}/fsck.* rPUx, - @{bin}/lvm rPUx, - @{bin}/mdadm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPUx, - @{bin}/mkntfs rPx, - @{bin}/mkswap rPx, + @{sbin}/dmsetup rPUx, + @{sbin}/dumpe2fs rPx, + @{sbin}/e2fsck rPx, + @{sbin}/e2image rPx, + @{sbin}/fsck.* rPUx, + @{sbin}/lvm rPUx, + @{sbin}/mdadm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPUx, + @{sbin}/mkntfs rPx, + @{sbin}/mkswap rPx, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, - @{bin}/ntfslabel rPx, - @{bin}/ntfsresize rPx, - @{bin}/resize2fs rPx, - @{bin}/swaplabel rPx, - @{bin}/swapoff rPx, - @{bin}/swapon rPx, + @{sbin}/ntfslabel rPx, + @{sbin}/ntfsresize rPx, + @{sbin}/resize2fs rPx, + @{sbin}/swaplabel rPx, + @{sbin}/swapoff rPx, + @{sbin}/swapon rPx, @{bin}/tune.* rPUx, - @{bin}/tune2fs rPx, - @{bin}/xfs_io rPUx, + @{sbin}/tune2fs rPx, + @{sbin}/xfs_io rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 5d04e33fb..988c547f0 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -20,7 +20,7 @@ profile gsmartcontrol @{exec_path} { @{bin}/dbus-launch Cx -> bus, @{bin}/dbus-send Cx -> bus, - @{bin}/smartctl Px, + @{sbin}/smartctl Px, @{bin}/xterm Cx -> terminal, /etc/fstab r, @@ -67,7 +67,7 @@ profile gsmartcontrol @{exec_path} { capability setuid, @{bin}/xterm mr, - @{bin}/update-smart-drivedb rPx, + @{sbin}/update-smart-drivedb rPx, /usr/include/X11/bitmaps/vlines2 r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index aaa28bd55..97fad1f13 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -39,7 +39,7 @@ profile hardinfo @{exec_path} { @{bin}/make rix, @{bin}/perl rix, @{python_path} rix, - @{bin}/route rix, + @{sbin}/route rix, @{bin}/ruby@{int}.@{int} rix, @{bin}/strace rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index a4fa34973..53e520509 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hdparm +@{exec_path} = @{sbin}/hdparm profile hdparm @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 590d4427e..2a1244ef7 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -37,28 +37,28 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{bin}/biosdecode rPx, + @{sbin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{bin}/ethtool rCx -> netconfig, - @{bin}/fdisk rPx, + @{sbin}/ethtool rCx -> netconfig, + @{sbin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, + @{sbin}/hdparm rPx, @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{bin}/ifconfig rCx -> netconfig, + @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{bin}/iw rCx -> netconfig, - @{bin}/iwconfig rCx -> netconfig, + @{sbin}/iw rCx -> netconfig, + @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rix, @@ -70,10 +70,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{bin}/rfkill rPx, + @{sbin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -205,10 +205,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { network appletalk dgram, network netlink raw, - @{bin}/iw mr, - @{bin}/ifconfig mr, - @{bin}/iwconfig mr, - @{bin}/ethtool mr, + @{sbin}/iw mr, + @{sbin}/ifconfig mr, + @{sbin}/iwconfig mr, + @{sbin}/ethtool mr, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index e7bf2937c..21165acec 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -27,7 +27,7 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, - @{bin}/acpidump rPUx, + @{sbin}/acpidump rPUx, @{bin}/dmraid rPUx, diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index cda55bc59..ce1ad519b 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -34,7 +34,7 @@ profile hypnotix @{exec_path} { @{python_path} r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mkdir rix, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 5bebad691..48181e130 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ifconfig +@{exec_path} = @{sbin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index aac25b811..42169dd6d 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,8 +19,8 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/ip rix, - @{bin}/route rix, + @{sbin}/ip rix, + @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, @{bin}/wc rix, @@ -32,7 +32,7 @@ profile ifup @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/kmod rCx -> kmod, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -110,7 +110,7 @@ profile ifup @{exec_path} { capability net_admin, capability sys_admin, - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 074b4e735..199483f4f 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -19,7 +19,7 @@ profile initd-kexec @{exec_path} { @{bin}/tput rix, @{bin}/echo rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index 1b27d1a4e..b5bf58ff2 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -25,7 +25,7 @@ profile initd-kexec-load @{exec_path} { @{bin}/readlink rix, @{bin}/tput rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 09753107b..38b2a17a2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/ip rCx -> ip, + @{sbin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -43,11 +43,11 @@ profile inxi @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - @{bin}/blockdev rPx, + @{sbin}/blockdev rPx, @{bin}/compton rPx, @{bin}/df rPx, @{bin}/dig rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, @@ -56,7 +56,7 @@ profile inxi @{exec_path} { @{bin}/openbox rPx, @{bin}/ps rPx, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/sudo rPx, @{bin}/uptime rPx, @{bin}/who rPx, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{bin}/ip mr, + @{sbin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bcb521c01..3495bcc80 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ip +@{exec_path} = @{sbin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index c6dfa762a..628728846 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ipcalc +@{exec_path} = @{sbin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index c760c50f6..631b0b9d1 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iw +@{exec_path} = @{sbin}/iw profile iw @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 962b4ab23..ec6b9a46b 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwconfig +@{exec_path} = @{sbin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index 298c94688..b89af77b9 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwlist +@{exec_path} = @{sbin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 102b75d83..d1e142a13 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kexec +@{exec_path} = @{sbin}/kexec profile kexec @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 08fc10c22..0338e3975 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rPx, @{bin}/true rix, @{lib}/modprobe.d/{,*.conf} r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index fc6a6ede5..016dceae0 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -30,7 +30,7 @@ profile kodi @{exec_path} { @{bin}/df rix, @{bin}/dirname rix, @{bin}/find rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mv rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index eb3d1cc80..f62e9ddf9 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kvm-ok +@{exec_path} = @{sbin}/kvm-ok profile kvm-ok @{exec_path} { include @@ -20,7 +20,7 @@ profile kvm-ok @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index fdd3b6209..f74f309fe 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/logrotate +@{exec_path} = @{sbin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -32,7 +32,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/grep rix, @{bin}/gzip rix, - @{bin}/invoke-rc.d rix, + @{sbin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index fdc258da1..ad626192c 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/mkinitramfs +@{exec_path} = @{sbin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -58,7 +58,7 @@ profile mkinitramfs @{exec_path} { @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, - @{bin}/ldconfig rCx -> ldconfig, + @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @@ -130,10 +130,10 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - @{bin}/ldconfig mr, + @{sbin}/ldconfig mr, @{sh_path} rix, - @{bin}/ldconfig.real rix, + @{sbin}/ldconfig.real rix, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e6..8b8968464 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/modprobed-db +@{exec_path} = @{sbin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index e847db872..cf77b7ab8 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -43,8 +43,8 @@ profile monitorix @{exec_path} { @{bin}/free rix, @{bin}/ss rix, @{bin}/who rix, - @{bin}/lvm rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/lvm rix, + @{sbin}/xtables-nft-multi rix, @{bin}/sensors rix, @{bin}/getconf rix, @{bin}/ps rix, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 502f941be..a66fc287f 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -27,7 +27,7 @@ profile mpsyt @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/tset rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 397646c5e..2470c527f 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/needrestart +@{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include include @@ -37,7 +37,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 480caf77e..b70a49be8 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -19,7 +19,7 @@ profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dbus-send rix, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/rm rix, @{run}/needrestart/{,**} rw, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 75b150042..cf51936da 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,7 +12,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{bin}/iucode_tool rix, + @{sbin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index c92d4d849..ffe3d4119 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/on_ac_power +@{exec_path} = @{sbin}/on_ac_power profile on-ac-power @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index bfee59187..263fab8bb 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -26,20 +26,20 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,f,}grep rix, - @{bin}/blkid rPx, + @{sbin}/blkid rPx, @{bin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, @{bin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/head rix, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index bcd9ba6b7..c3df0072d 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -52,7 +52,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/gdbus rix, @{bin}/gzip rix, @{bin}/ischroot rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 3991299b9..655ed9d40 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/pam-auth-update +@{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include include @@ -35,7 +35,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, - @{bin}/pam-auth-update rPx, + @{sbin}/pam-auth-update rPx, @{sh_path} rix, @{bin}/stty rix, diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 4a98dbae8..1ae7f5478 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/parted +@{exec_path} = @{sbin}/parted profile parted @{exec_path} { include include @@ -22,7 +22,7 @@ profile parted @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 6a0a6c9cf..79e4b0ffb 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/partprobe +@{exec_path} = @{sbin}/partprobe profile partprobe @{exec_path} { include include @@ -23,7 +23,7 @@ profile partprobe @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{PROC}/devices r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index c8fb38e44..8d55dd156 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -24,7 +24,7 @@ profile pass-import @{exec_path} { @{bin}/ r, @{bin}/gcc rix, # TODO: Test deny @{bin}/ld rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/pass rPx, @{python_path} rix, @{lib}/gcc/**/collect2 rix, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 984b566cf..67e0ee74e 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pcscd +@{exec_path} = @{sbin}/pcscd profile pcscd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 47dd9beab..81f43b3e6 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rdmsr +@{exec_path} = @{sbin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 7b28a1d22..38d482326 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/resize2fs +@{exec_path} = @{sbin}/resize2fs profile resize2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index c050ce970..a83c867fa 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/resolvconf +@{exec_path} = @{sbin}/resolvconf profile resolvconf @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index c80211b09..c65298b27 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rfkill +@{exec_path} = @{sbin}/rfkill profile rfkill @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 1dc744ff3..599fac88f 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,7 +12,7 @@ include # following: # watch -n 1 'dmesg | tail -5' -@{exec_path} = @{bin}/rsyslogd +@{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index 9417c93b1..733573d6b 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rtkitctl +@{exec_path} = @{sbin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index fc46c2967..f6d40b0c5 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -25,7 +25,7 @@ profile run-parts @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/anacron rix, + @{sbin}/anacron rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/nice rix, @@ -229,12 +229,12 @@ profile run-parts @{exec_path} { @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, @{bin}/update-alternatives rPx, - @{bin}/update-grub rPUx, - @{bin}/update-initramfs rPx, + @{sbin}/update-grub rPUx, + @{sbin}/update-initramfs rPx, @{lib}/dkms/dkms_autoinstaller rPx, @{lib}/modules/*/updates/ w, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 9931c07fb..4bd569955 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/runuser +@{exec_path} = @{sbin}/runuser profile runuser @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index e3eca4e22..96dc17042 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sensors-detect +@{exec_path} = @{sbin}/sensors-detect profile sensors-detect @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 6c9a3fe62..7fdfddcbb 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/setvtrgb +@{exec_path} = @{sbin}/setvtrgb profile setvtrgb @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 0009d52cb..05ab2273f 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sfdisk +@{exec_path} = @{sbin}/sfdisk profile sfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index ecc6abcdb..4e68816d7 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sgdisk +@{exec_path} = @{sbin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 4af40c8ab..d025d160b 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/smartctl +@{exec_path} = @{sbin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index d0f9c28fd..60a77a782 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/smartd +@{exec_path} = @{sbin}/smartd profile smartd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index e70a5c499..5277dcc1e 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -46,7 +46,7 @@ profile spectre-meltdown-checker @{exec_path} { @{bin}/gzip rix, @{bin}/head rix, @{bin}/id rix, - @{bin}/iucode_tool rix, + @{sbin}/iucode_tool rix, @{bin}/kmod rCx -> kmod, @{bin}/lzop rix, @{bin}/mktemp rix, @@ -55,7 +55,7 @@ profile spectre-meltdown-checker @{exec_path} { @{bin}/od rix, @{bin}/perl rix, @{bin}/pgrep rCx -> pgrep, - @{bin}/rdmsr rix, + @{sbin}/rdmsr rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index bebfbe419..95013d8e0 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/spice-vdagentd +@{exec_path} = @{sbin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 6ff0fe7e9..8b66b652f 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{bin}/ip rix, + @{sbin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index fe30e6da8..101310df1 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/thermald +@{exec_path} = @{sbin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index ff447e81e..52fe2af61 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -30,13 +30,13 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/ethtool rix, + @{sbin}/ethtool rix, @{bin}/flock rix, @{bin}/grep rix, - @{bin}/hdparm rPx, + @{sbin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, - @{bin}/iw rPx, + @{sbin}/iw rPx, @{bin}/logger rix, @{bin}/mktemp rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 0b35cff02..a9db94276 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -48,7 +48,7 @@ profile tomb @{exec_path} { @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{bin}/losetup rix, + @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -67,22 +67,22 @@ profile tomb @{exec_path} { @{bin}/zsh rix, @{bin}/btrfs rPx, - @{bin}/cryptsetup rPUx, + @{sbin}/cryptsetup rPUx, @{bin}/e2fsc rPUx, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, - @{bin}/mkfs.* rPUx, + @{sbin}/mkfs.* rPUx, @{bin}/mount rPx, @{bin}/pinentry rPx, @{bin}/pinentry-* rPx, @{bin}/qrencode rPx, - @{bin}/resize2fs rPx, + @{sbin}/resize2fs rPx, @{bin}/tomb-kdb-pbkdf2 rPUx, - @{bin}/tune2fs rPx, + @{sbin}/tune2fs rPx, @{bin}/umount rCx -> umount, @{bin}/updatedb.mlocate rPx, - @{bin}/zramctl rPx, + @{sbin}/zramctl rPx, /usr/share/file/** r, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index c7c914387..ad258189c 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -19,7 +19,7 @@ profile torsocks @{exec_path} { @{sh_path} rix, @{bin}/* rPUx, @{lib}/uwt/uwtexec rPUx, - @{bin}/getcap rix, + @{sbin}/getcap rix, /etc/tor/torsocks.conf r, diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached index 51746625e..e42b10c26 100644 --- a/apparmor.d/profiles-s-z/udev-bcache-export-cached +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -15,7 +15,7 @@ profile udev-bcache-export-cached @{exec_path} { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bcache-super-show rix, + @{sbin}/bcache-super-show rix, include if exists } diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 85b99b8ab..4b7d35c32 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/unix_chkpwd +@{exec_path} = @{sbin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index b496777e9..4bc88faae 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-ca-certificates +@{exec_path} = @{sbin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 9bef23a77..b7f00b263 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-cracklib +@{exec_path} = @{sbin}/update-cracklib profile update-cracklib @{exec_path} { include include @@ -16,8 +16,8 @@ profile update-cracklib @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cracklib-format rix, - @{bin}/cracklib-packer rPx, + @{sbin}/cracklib-format rix, + @{sbin}/cracklib-packer rPx, @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 6948f2812..51961efb3 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-initramfs +@{exec_path} = @{sbin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -32,7 +32,7 @@ profile update-initramfs @{exec_path} { @{bin}/dpkg-trigger rPx, @{bin}/linux-version rPx, - @{bin}/mkinitramfs rPx, + @{sbin}/mkinitramfs rPx, /var/lib/initramfs-tools/* w, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index d2e36ead0..a40afd994 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-pciids +@{exec_path} = @{sbin}/update-pciids profile update-pciids @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index e5ffca44f..232c92d0c 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-secureboot-policy +@{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 2ce61cebf..70b9bc6e2 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-smart-drivedb +@{exec_path} = @{sbin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} { @{bin}/cmp rix, @{bin}/ r, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/wget rCx -> browse, diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 7a951b7e7..a9c77b5c2 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -19,7 +19,7 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 6612846cd..1e5417b15 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -29,11 +29,11 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, - @{bin}/dmsetup rPx, + @{sbin}/dmsetup rPx, @{bin}/grep rix, @{bin}/kmod rix, - @{bin}/ldconfig rix, - @{bin}/losetup rCx -> losetup, + @{sbin}/ldconfig rix, + @{sbin}/losetup rCx -> losetup, @{bin}/mount rPx, @{bin}/sudo rix, @{bin}/umount rCx -> umount, @@ -85,7 +85,7 @@ profile veracrypt @{exec_path} { capability sys_rawio, - @{bin}/losetup mr, + @{sbin}/losetup mr, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 1460fb1a7..7cf741dc2 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -28,7 +28,7 @@ profile vidcutter @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 614084c71..7c0443dae 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -39,7 +39,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{bin}/getfacl rix, @{bin}/setfacl rix, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index e23d4db43..d0fc54b7c 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 88c44287d..67b3cf503 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index cc4ae2959..41541ea84 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -25,7 +25,7 @@ profile whdd @{exec_path} { @{bin}/tr rix, # To read SMART attributes - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 136caa781..b2cfe0091 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_action +@{exec_path} = @{sbin}/wpa_action profile wpa-action @{exec_path} { include @@ -17,14 +17,14 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - @{bin}/wpa_cli rPx, + @{sbin}/wpa_cli rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index 11da65179..eb4efeee9 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -7,13 +7,13 @@ abi , include -@{exec_path} = @{bin}/wpa_cli +@{exec_path} = @{sbin}/wpa_cli profile wpa-cli @{exec_path} { include @{exec_path} mr, - @{bin}/wpa_action rPx, + @{sbin}/wpa_action rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 23f77f840..24f87b5a7 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_supplicant +@{exec_path} = @{sbin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 7de522fc8..6ef05cc0f 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wrmsr +@{exec_path} = @{sbin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index d618a0db1..381e878fa 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -38,7 +38,7 @@ profile youtube-dl @{exec_path} { @{bin}/ r, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/git rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/rtmpdump rix, @{bin}/uname rix, @{lib}/git{,-core}/git rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 12fd657c3..a76bf0d89 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -27,7 +27,7 @@ profile ytdl @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 8ac23a07c..42181500b 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -20,7 +20,7 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - @{bin}/update-grub rPx, + @{sbin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r,