felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): use @{sbin} for all program inside /usr/sbin.

Browse source
This commit is contained in:
Alexandre Pujol 2025-04-28 21:27:57 +02:00
parent b8f2f38c72
commit fd17a77b17
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
270 changed files with 475 additions and 475 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/mkinitramfs
@{exec_path} = @{sbin}/mkinitramfs
profile mkinitramfs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -58,7 +58,7 @@ profile mkinitramfs @{exec_path} {
@{bin}/find rCx -> find,
@{bin}/kmod rCx -> kmod,
@{bin}/ldconfig rCx -> ldconfig,
@{sbin}/ldconfig rCx -> ldconfig,
@{bin}/ldd rCx -> ldd,
@{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd,
@{lib}/ld-linux.so* rCx -> ldd,
@ -130,10 +130,10 @@ profile mkinitramfs @{exec_path} {
capability sys_chroot,
@{bin}/ldconfig mr,
@{sbin}/ldconfig mr,
@{sh_path} rix,
@{bin}/ldconfig.real rix,
@{sbin}/ldconfig.real rix,
owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r,
owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r,

2
apparmor.d/profiles-m-r/modprobed-db
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/modprobed-db
@{exec_path} = @{sbin}/modprobed-db
profile modprobed-db @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

4
apparmor.d/profiles-m-r/monitorix
View file

@ -43,8 +43,8 @@ profile monitorix @{exec_path} {
@{bin}/free rix,
@{bin}/ss rix,
@{bin}/who rix,
@{bin}/lvm rix,
@{bin}/xtables-nft-multi rix,
@{sbin}/lvm rix,
@{sbin}/xtables-nft-multi rix,
@{bin}/sensors rix,
@{bin}/getconf rix,
@{bin}/ps rix,

2
apparmor.d/profiles-m-r/mpsyt
View file

@ -27,7 +27,7 @@ profile mpsyt @{exec_path} {
@{python_path} r,
@{bin}/ r,
@{bin}/ldconfig rix,
@{sbin}/ldconfig rix,
@{bin}/tset rix,
@{bin}/uname rix,

4
apparmor.d/profiles-m-r/needrestart
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/needrestart
@{exec_path} = @{sbin}/needrestart
profile needrestart @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
@ -37,7 +37,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
@{bin}/systemctl rCx -> systemctl,
@{bin}/systemd-detect-virt rPx,
@{bin}/udevadm rCx -> udevadm,
@{bin}/unix_chkpwd rPx,
@{sbin}/unix_chkpwd rPx,
@{bin}/whiptail rPx,
@{bin}/who rix,
@{lib}/needrestart/* rPx,

2
apparmor.d/profiles-m-r/needrestart-apt-pinvoke
View file

@ -19,7 +19,7 @@ profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix,
@{bin}/dbus-send rix,
@{bin}/needrestart rPx,
@{sbin}/needrestart rPx,
@{bin}/rm rix,
@{run}/needrestart/{,**} rw,

2
apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
View file

@ -12,7 +12,7 @@ profile needrestart-iucode-scan-versions @{exec_path} {
@{exec_path} mr,
@{bin}/iucode_tool rix,
@{sbin}/iucode_tool rix,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/bsdtar rix,

2
apparmor.d/profiles-m-r/on-ac-power
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/on_ac_power
@{exec_path} = @{sbin}/on_ac_power
profile on-ac-power @{exec_path} {
include <abstractions/base>

6
apparmor.d/profiles-m-r/os-prober
View file

@ -26,20 +26,20 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix,
@{bin}/{e,f,}grep rix,
@{bin}/blkid rPx,
@{sbin}/blkid rPx,
@{bin}/btrfs rPx,
@{bin}/cat rix,
@{bin}/cut rix,
@{bin}/dmraid rPUx,
@{bin}/find rix,
@{bin}/grub-mount rPx,
@{bin}/grub-probe rPx,
@{sbin}/grub-probe rPx,
@{bin}/head rix,
@{bin}/kmod rPx,
@{bin}/logger rix,
@{bin}/ls rix,
@{bin}/lsblk rPx,
@{bin}/lvm rPx,
@{sbin}/lvm rPx,
@{bin}/mkdir rix,
@{bin}/mktemp rix,
@{bin}/mount rix,

2
apparmor.d/profiles-m-r/packagekitd
View file

@ -52,7 +52,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
@{bin}/gdbus rix,
@{bin}/gzip rix,
@{bin}/ischroot rix,
@{bin}/ldconfig rix,
@{sbin}/ldconfig rix,
@{bin}/repo2solv rix,
@{bin}/tar rix,
@{bin}/test rix,

4
apparmor.d/profiles-m-r/pam-auth-update
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pam-auth-update
@{exec_path} = @{sbin}/pam-auth-update
profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/base>
include <abstractions/consoles>
@ -35,7 +35,7 @@ profile pam-auth-update @{exec_path} flags=(complain) {
/usr/share/debconf/frontend r,
@{bin}/pam-auth-update rPx,
@{sbin}/pam-auth-update rPx,
@{sh_path} rix,
@{bin}/stty rix,

4
apparmor.d/profiles-m-r/parted
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/parted
@{exec_path} = @{sbin}/parted
profile parted @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
@ -22,7 +22,7 @@ profile parted @{exec_path} {
@{sh_path} rix,
@{bin}/udevadm rCx -> udevadm,
@{bin}/dmidecode rPx,
@{sbin}/dmidecode rPx,
/etc/inputrc r,

4
apparmor.d/profiles-m-r/partprobe
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/partprobe
@{exec_path} = @{sbin}/partprobe
profile partprobe @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -23,7 +23,7 @@ profile partprobe @{exec_path} {
@{sh_path} rix,
@{bin}/udevadm rCx -> udevadm,
@{bin}/dmidecode rPx,
@{sbin}/dmidecode rPx,
@{PROC}/devices r,
@{PROC}/swaps r,

2
apparmor.d/profiles-m-r/pass-import
View file

@ -24,7 +24,7 @@ profile pass-import @{exec_path} {
@{bin}/ r,
@{bin}/gcc rix, # TODO: Test deny
@{bin}/ld rix,
@{bin}/ldconfig rix,
@{sbin}/ldconfig rix,
@{bin}/pass rPx,
@{python_path} rix,
@{lib}/gcc/**/collect2 rix,

2
apparmor.d/profiles-m-r/pcscd
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/pcscd
@{exec_path} = @{sbin}/pcscd
profile pcscd @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>

2
apparmor.d/profiles-m-r/rdmsr
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/rdmsr
@{exec_path} = @{sbin}/rdmsr
profile rdmsr @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-m-r/resize2fs
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/resize2fs
@{exec_path} = @{sbin}/resize2fs
profile resize2fs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-m-r/resolvconf
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/resolvconf
@{exec_path} = @{sbin}/resolvconf
profile resolvconf @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>

2
apparmor.d/profiles-m-r/rfkill
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/rfkill
@{exec_path} = @{sbin}/rfkill
profile rfkill @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-m-r/rsyslogd
View file

@ -12,7 +12,7 @@ include <tunables/global>
# following:
# watch -n 1 'dmesg | tail -5'
@{exec_path} = @{bin}/rsyslogd
@{exec_path} = @{sbin}/rsyslogd
profile rsyslogd @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice>

2
apparmor.d/profiles-m-r/rtkitctl
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/rtkitctl
@{exec_path} = @{sbin}/rtkitctl
profile rtkitctl @{exec_path} {
include <abstractions/base>

8
apparmor.d/profiles-m-r/run-parts
View file

@ -25,7 +25,7 @@ profile run-parts @{exec_path} {
@{exec_path} mrix,
@{sh_path} rix,
@{bin}/anacron rix,
@{sbin}/anacron rix,
@{bin}/cat rix,
@{bin}/date rix,
@{bin}/nice rix,
@ -229,12 +229,12 @@ profile run-parts @{exec_path} {
@{bin}/which{,.debianutils} rix,
@{bin}/apt-config rPx,
@{bin}/dkms rPx,
@{sbin}/dkms rPx,
@{bin}/dpkg rPx -> child-dpkg,
@{bin}/systemd-detect-virt rPx,
@{bin}/update-alternatives rPx,
@{bin}/update-grub rPUx,
@{bin}/update-initramfs rPx,
@{sbin}/update-grub rPUx,
@{sbin}/update-initramfs rPx,
@{lib}/dkms/dkms_autoinstaller rPx,
@{lib}/modules/*/updates/ w,

2
apparmor.d/profiles-m-r/runuser
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/runuser
@{exec_path} = @{sbin}/runuser
profile runuser @{exec_path} {
include <abstractions/base>
include <abstractions/authentication>