feat(profile): use @{sbin} for all program inside /usr/sbin.

2025-04-28 21:27:57 +02:00 · 2025-04-28 21:27:57 +02:00 · fd17a77b17
commit fd17a77b17
parent b8f2f38c72
270 changed files with 475 additions and 475 deletions
--- a/apparmor.d/groups/cron/anacron
+++ b/apparmor.d/groups/cron/anacron
@ -6,7 +6,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/anacron
+@{exec_path} = @{sbin}/anacron
 profile anacron @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -7,7 +7,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/cron
+@{exec_path} = @{sbin}/cron
 profile cron @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
--- a/apparmor.d/groups/cron/cron-anacron
+++ b/apparmor.d/groups/cron/cron-anacron
@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} {

  @{exec_path} r,

-  @{bin}/anacron           rPx,
+  @{sbin}/anacron           rPx,
  @{sh_path}                   rix,
  @{bin}/cat                   rix,
  @{bin}/date                  rix,
--- a/apparmor.d/groups/cron/cron-apt
+++ b/apparmor.d/groups/cron/cron-apt
@ -7,7 +7,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/cron-apt
+@{exec_path} = @{sbin}/cron-apt
 profile cron-apt @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/cron/cron-apt-compat
+++ b/apparmor.d/groups/cron/cron-apt-compat
@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} {
  @{exec_path} r,
  @{sh_path}                   rix,

-  @{bin}/on_ac_power          rPx,
+  @{sbin}/on_ac_power          rPx,

  @{bin}/apt-config            rPx,
  @{lib}/apt/apt.systemd.daily rPx,
--- a/apparmor.d/groups/cron/cron-apt-xapian-index
+++ b/apparmor.d/groups/cron/cron-apt-xapian-index
@ -22,7 +22,7 @@ profile cron-apt-xapian-index @{exec_path} {

  @{bin}/ r,
  @{bin}/update-apt-xapian-index rPx,
-  @{bin}/on_ac_power             rPx,
+  @{sbin}/on_ac_power            rPx,

  # For shell pwd
  / r,
--- a/apparmor.d/groups/cron/cron-cracklib
+++ b/apparmor.d/groups/cron/cron-cracklib
@ -15,7 +15,7 @@ profile cron-cracklib @{exec_path} {

  @{sh_path}               rix,
  @{bin}/logger            rix,
-  @{bin}/update-cracklib  rPx,
+  @{sbin}/update-cracklib  rPx,

  /etc/cracklib/cracklib.conf r,

--- a/apparmor.d/groups/cron/cron-exim4-base
+++ b/apparmor.d/groups/cron/cron-exim4-base
@ -39,8 +39,8 @@ profile cron-exim4-base @{exec_path} {
  @{bin}/exim4     rPx,
  @{bin}/exim_tidydb       rix,

-  @{bin}/start-stop-daemon rix,
-  @{bin}/runuser           rix,
+  @{sbin}/start-stop-daemon rix,
+  @{sbin}/runuser           rix,

  /etc/default/exim4 r,

--- a/apparmor.d/groups/cron/cron-ipset-autoban-save
+++ b/apparmor.d/groups/cron/cron-ipset-autoban-save
@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} {
  @{exec_path} r,
  @{sh_path}        rix,

-  @{bin}/ipset     rix,
+  @{sbin}/ipset     rix,

  /etc/peerblock/autoban rw,

--- a/apparmor.d/groups/cron/cron-logrotate
+++ b/apparmor.d/groups/cron/cron-logrotate
@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} {
  @{exec_path} r,
  @{sh_path}        rix,

-  @{bin}/logrotate rPx,
+  @{sbin}/logrotate rPx,

  @{bin}/logger     rix,

--- a/apparmor.d/groups/cron/cron-man-db
+++ b/apparmor.d/groups/cron/cron-man-db
@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} {
  @{sh_path}                rix,

  @{bin}/{,e}grep           rix,
-  @{bin}/start-stop-daemon rix,
+  @{sbin}/start-stop-daemon rix,
  @{bin}/xargs              rix,
  @{bin}/find               rix,

--- a/apparmor.d/groups/cron/cron-mlocate
+++ b/apparmor.d/groups/cron/cron-mlocate
@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} {
  @{bin}/nice       rix,

  @{bin}/updatedb.mlocate rPx,
-  @{bin}/on_ac_power     rPx,
+  @{sbin}/on_ac_power     rPx,

  @{run}/mlocate.daily.lock rwk,

--- a/apparmor.d/groups/cron/cron-plocate
+++ b/apparmor.d/groups/cron/cron-plocate
@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} {
  @{bin}/nice       rix,

  @{bin}/updatedb.plocate rPx,
-  @{bin}/on_ac_power      rPx,
+  @{sbin}/on_ac_power     rPx,

  @{run}/plocate.daily.lock rwk,

--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} {
  # To send reports via TOR
  @{bin}/torify              rix,
  @{bin}/torsocks            rix,
-  @{bin}/getcap              rix,
+  @{sbin}/getcap             rix,

  /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload,
  @{bin}/gpg{,2}             rCx -> gpg,
-  @{bin}/runuser            rCx -> runuser,
+  @{sbin}/runuser            rCx -> runuser,
  @{bin}/savelog             rCx -> savelog,

  /usr/share/popularity-contest/ r,
@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} {
    include <abstractions/nameservice-strict>
    include <abstractions/authentication>

-    @{bin}/runuser mr,
+    @{sbin}/runuser mr,

    @{sh_path}                 rix,
    @{bin}/popularity-contest  rPx,
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -7,7 +7,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/crontab
+@{exec_path} = @{sbin}/crontab
 profile crontab @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>