felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): use @{sbin} for all program inside /usr/sbin.

Browse source
This commit is contained in:
Alexandre Pujol 2025-04-28 21:27:57 +02:00
parent b8f2f38c72
commit fd17a77b17
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
270 changed files with 475 additions and 475 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/profiles-s-z/sensors-detect
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/sensors-detect
@{exec_path} = @{sbin}/sensors-detect
profile sensors-detect @{exec_path} {
include <abstractions/base>
include <abstractions/perl>

2
apparmor.d/profiles-s-z/setvtrgb
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/setvtrgb
@{exec_path} = @{sbin}/setvtrgb
profile setvtrgb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/sfdisk
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/sfdisk
@{exec_path} = @{sbin}/sfdisk
profile sfdisk @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/sgdisk
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/sgdisk
@{exec_path} = @{sbin}/sgdisk
profile sgdisk @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>

2
apparmor.d/profiles-s-z/smartctl
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/smartctl
@{exec_path} = @{sbin}/smartctl
profile smartctl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/smartd
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/smartd
@{exec_path} = @{sbin}/smartd
profile smartd @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>

4
apparmor.d/profiles-s-z/spectre-meltdown-checker
View file

@ -46,7 +46,7 @@ profile spectre-meltdown-checker @{exec_path} {
@{bin}/gzip rix,
@{bin}/head rix,
@{bin}/id rix,
@{bin}/iucode_tool rix,
@{sbin}/iucode_tool rix,
@{bin}/kmod rCx -> kmod,
@{bin}/lzop rix,
@{bin}/mktemp rix,
@ -55,7 +55,7 @@ profile spectre-meltdown-checker @{exec_path} {
@{bin}/od rix,
@{bin}/perl rix,
@{bin}/pgrep rCx -> pgrep,
@{bin}/rdmsr rix,
@{sbin}/rdmsr rix,
@{bin}/readlink rix,
@{bin}/rm rix,
@{bin}/sed rix,

2
apparmor.d/profiles-s-z/spice-vdagentd
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/spice-vdagentd
@{exec_path} = @{sbin}/spice-vdagentd
profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>

2
apparmor.d/profiles-s-z/syncthing
View file

@ -23,7 +23,7 @@ profile syncthing @{exec_path} {
@{exec_path} mrix,
@{open_path} rPx -> child-open,
@{bin}/ip rix,
@{sbin}/ip rix,
/usr/share/mime/{,**} r,

2
apparmor.d/profiles-s-z/thermald
View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/thermald
@{exec_path} = @{sbin}/thermald
profile thermald @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>

6
apparmor.d/profiles-s-z/tlp
View file

@ -30,13 +30,13 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
@{bin}/cat rix,
@{bin}/chmod rix,
@{bin}/cp rix,
@{bin}/ethtool rix,
@{sbin}/ethtool rix,
@{bin}/flock rix,
@{bin}/grep rix,
@{bin}/hdparm rPx,
@{sbin}/hdparm rPx,
@{bin}/head rix,
@{bin}/id rPx,
@{bin}/iw rPx,
@{sbin}/iw rPx,
@{bin}/logger rix,
@{bin}/mktemp rix,
@{bin}/readlink rix,

14
apparmor.d/profiles-s-z/tomb
View file

@ -48,7 +48,7 @@ profile tomb @{exec_path} {
@{bin}/id rix,
@{bin}/kill rix,
@{bin}/locate rix,
@{bin}/losetup rix,
@{sbin}/losetup rix,
@{bin}/ls rix,
@{bin}/lsof rix,
@{bin}/mkdir rix,
@ -67,22 +67,22 @@ profile tomb @{exec_path} {
@{bin}/zsh rix,
@{bin}/btrfs rPx,
@{bin}/cryptsetup rPUx,
@{sbin}/cryptsetup rPUx,
@{bin}/e2fsc rPUx,
@{bin}/fsck rPx,
@{sbin}/fsck rPx,
@{bin}/gpg{,2} rPx,
@{bin}/lsblk rPx,
@{bin}/mkfs.* rPUx,
@{sbin}/mkfs.* rPUx,
@{bin}/mount rPx,
@{bin}/pinentry rPx,
@{bin}/pinentry-* rPx,
@{bin}/qrencode rPx,
@{bin}/resize2fs rPx,
@{sbin}/resize2fs rPx,
@{bin}/tomb-kdb-pbkdf2 rPUx,
@{bin}/tune2fs rPx,
@{sbin}/tune2fs rPx,
@{bin}/umount rCx -> umount,
@{bin}/updatedb.mlocate rPx,
@{bin}/zramctl rPx,
@{sbin}/zramctl rPx,
/usr/share/file/** r,
/usr/share/terminfo/** r,

2
apparmor.d/profiles-s-z/torsocks
View file

@ -19,7 +19,7 @@ profile torsocks @{exec_path} {
@{sh_path} rix,
@{bin}/* rPUx,
@{lib}/uwt/uwtexec rPUx,
@{bin}/getcap rix,
@{sbin}/getcap rix,
/etc/tor/torsocks.conf r,

2
apparmor.d/profiles-s-z/udev-bcache-export-cached
View file

@ -15,7 +15,7 @@ profile udev-bcache-export-cached @{exec_path} {
@{sh_path} rix,
@{bin}/{m,g,}awk rix,
@{bin}/bcache-super-show rix,
@{sbin}/bcache-super-show rix,
include if exists <local/udev-bcache-export-cached>
}

2
apparmor.d/profiles-s-z/unix-chkpwd
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/unix_chkpwd
@{exec_path} = @{sbin}/unix_chkpwd
profile unix-chkpwd @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/update-ca-certificates
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/update-ca-certificates
@{exec_path} = @{sbin}/update-ca-certificates
profile update-ca-certificates @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

6
apparmor.d/profiles-s-z/update-cracklib
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/update-cracklib
@{exec_path} = @{sbin}/update-cracklib
profile update-cracklib @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -16,8 +16,8 @@ profile update-cracklib @{exec_path} {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/cracklib-format rix,
@{bin}/cracklib-packer rPx,
@{sbin}/cracklib-format rix,
@{sbin}/cracklib-packer rPx,
@{bin}/env rix,
@{bin}/file rix,
@{bin}/find rix,

4
apparmor.d/profiles-s-z/update-initramfs
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/update-initramfs
@{exec_path} = @{sbin}/update-initramfs
profile update-initramfs @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -32,7 +32,7 @@ profile update-initramfs @{exec_path} {
@{bin}/dpkg-trigger rPx,
@{bin}/linux-version rPx,
@{bin}/mkinitramfs rPx,
@{sbin}/mkinitramfs rPx,
/var/lib/initramfs-tools/* w,

2
apparmor.d/profiles-s-z/update-pciids
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/update-pciids
@{exec_path} = @{sbin}/update-pciids
profile update-pciids @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

2
apparmor.d/profiles-s-z/update-secureboot-policy
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/update-secureboot-policy
@{exec_path} = @{sbin}/update-secureboot-policy
profile update-secureboot-policy @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>

4
apparmor.d/profiles-s-z/update-smart-drivedb
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/update-smart-drivedb
@{exec_path} = @{sbin}/update-smart-drivedb
profile update-smart-drivedb @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} {
@{bin}/cmp rix,
@{bin}/ r,
@{bin}/smartctl rPx,
@{sbin}/smartctl rPx,
@{bin}/gpg{,2} rCx -> gpg,
@{bin}/wget rCx -> browse,

2
apparmor.d/profiles-s-z/updatedb-mlocate
View file

@ -19,7 +19,7 @@ profile updatedb-mlocate @{exec_path} {
@{exec_path} mr,
@{bin}/on_ac_power rPx,
@{sbin}/on_ac_power rPx,
# For shell pwd
/ r,

8
apparmor.d/profiles-s-z/veracrypt
View file

@ -29,11 +29,11 @@ profile veracrypt @{exec_path} {
@{sh_path} rix,
@{open_path} rPx -> child-open-help,
@{bin}/dmsetup rPx,
@{sbin}/dmsetup rPx,
@{bin}/grep rix,
@{bin}/kmod rix,
@{bin}/ldconfig rix,
@{bin}/losetup rCx -> losetup,
@{sbin}/ldconfig rix,
@{sbin}/losetup rCx -> losetup,
@{bin}/mount rPx,
@{bin}/sudo rix,
@{bin}/umount rCx -> umount,
@ -85,7 +85,7 @@ profile veracrypt @{exec_path} {
capability sys_rawio,
@{bin}/losetup mr,
@{sbin}/losetup mr,
include if exists <local/veracrypt_losetup>
}

2
apparmor.d/profiles-s-z/vidcutter
View file

@ -28,7 +28,7 @@ profile vidcutter @{exec_path} {
@{python_path} r,
@{bin}/ r,
@{bin}/ldconfig rix,
@{sbin}/ldconfig rix,
@{bin}/ffmpeg rPx,
@{bin}/ffprobe rPx,

2
apparmor.d/profiles-s-z/virt-manager
View file

@ -39,7 +39,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
@{bin}/getfacl rix,
@{bin}/setfacl rix,
@{bin}/libvirtd rPx,
@{sbin}/libvirtd rPx,
@{bin}/ssh rPx,
@{lib}/spice-client-glib-usb-acl-helper rPx,

2
apparmor.d/profiles-s-z/wechat
View file

@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) {
@{bin}/mkdir ix,
@{bin}/gawk rix,
@{bin}/lsblk rPx,
@{bin}/ip rix,
@{sbin}/ip rix,
@{bin}/xdg-user-dir rix,
@{open_path} rpx -> child-open-strict,

2
apparmor.d/profiles-s-z/wechat-appimage
View file

@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) {
@{bin}/mkdir ix,
@{bin}/gawk rix,
@{bin}/lsblk rPx,
@{bin}/ip rix,
@{sbin}/ip rix,
@{bin}/xdg-user-dir rix,
@{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix,
@{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix,

2
apparmor.d/profiles-s-z/whdd
View file

@ -25,7 +25,7 @@ profile whdd @{exec_path} {
@{bin}/tr rix,
# To read SMART attributes
@{bin}/smartctl rPx,
@{sbin}/smartctl rPx,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/partitions r,

6
apparmor.d/profiles-s-z/wpa-action
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/wpa_action
@{exec_path} = @{sbin}/wpa_action
profile wpa-action @{exec_path} {
include <abstractions/base>
@ -17,14 +17,14 @@ profile wpa-action @{exec_path} {
@{exec_path} mr,
@{bin}/wpa_cli rPx,
@{sbin}/wpa_cli rPx,
@{sh_path} rix,
@{bin}/{,e}grep rix,
@{bin}/cat rix,
@{bin}/date rix,
@{bin}/ifup rix,
@{bin}/ip rix,
@{sbin}/ip rix,
@{bin}/ln rix,
@{bin}/logger rix,
@{bin}/rm rix,

4
apparmor.d/profiles-s-z/wpa-cli
View file

@ -7,13 +7,13 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/wpa_cli
@{exec_path} = @{sbin}/wpa_cli
profile wpa-cli @{exec_path} {
include <abstractions/base>
@{exec_path} mr,
@{bin}/wpa_action rPx,
@{sbin}/wpa_action rPx,
/etc/inputrc r,

2
apparmor.d/profiles-s-z/wpa-supplicant
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/wpa_supplicant
@{exec_path} = @{sbin}/wpa_supplicant
profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>

2
apparmor.d/profiles-s-z/wrmsr
View file

@ -7,7 +7,7 @@ abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/wrmsr
@{exec_path} = @{sbin}/wrmsr
profile wrmsr @{exec_path} {
include <abstractions/base>

2
apparmor.d/profiles-s-z/youtube-dl
View file

@ -38,7 +38,7 @@ profile youtube-dl @{exec_path} {
@{bin}/ r,
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
@{bin}/git rix,
@{bin}/ldconfig rix,
@{sbin}/ldconfig rix,
@{bin}/rtmpdump rix,
@{bin}/uname rix,
@{lib}/git{,-core}/git rix,

2
apparmor.d/profiles-s-z/ytdl
View file

@ -27,7 +27,7 @@ profile ytdl @{exec_path} {
@{python_path} r,
@{bin}/ r,
@{bin}/ldconfig rix,
@{sbin}/ldconfig rix,
@{bin}/uname rix,
/etc/mime.types r,

2
apparmor.d/profiles-s-z/zsysd
View file

@ -20,7 +20,7 @@ profile zsysd @{exec_path} flags=(complain) {
/{usr/,}{local/,}{s,}bin/zfs rPx,
/{usr/,}{local/,}{s,}bin/zpool rPx,
# ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1
@{bin}/update-grub rPx,
@{sbin}/update-grub rPx,
/etc/hostid r,
/etc/zsys.conf r,