b88b8b8c26
As the number of abstraction is increasing, it is valuable to separate "base" abstractions to programs specific ones.
46 lines
No EOL
1.1 KiB
Text
46 lines
No EOL
1.1 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = @{bin}/do-release-upgrade
|
|
profile do-release-upgrade @{exec_path} {
|
|
include <abstractions/base>
|
|
include <abstractions/common/apt>
|
|
include <abstractions/consoles>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/python>
|
|
include <abstractions/ssl_certs>
|
|
|
|
capability net_admin,
|
|
|
|
network inet dgram,
|
|
network inet6 dgram,
|
|
network inet stream,
|
|
network inet6 stream,
|
|
network netlink raw,
|
|
|
|
@{exec_path} mr,
|
|
|
|
@{bin}/dpkg rPx -> child-dpkg,
|
|
@{bin}/ischroot rix,
|
|
@{bin}/lsb_release rPx -> lsb_release,
|
|
|
|
/usr/share/distro-info/*.csv r,
|
|
/usr/share/ubuntu-release-upgrader/{,**} r,
|
|
|
|
/etc/machine-id r,
|
|
/etc/update-manager/{,**} r,
|
|
|
|
/var/lib/ubuntu-release-upgrader/release-upgrade-available rw,
|
|
/var/lib/update-manager/* rw,
|
|
/var/cache/apt/pkgcache.bin{,.*} rw,
|
|
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
@{PROC}/@{pids}/mountinfo r,
|
|
|
|
include if exists <local/do-release-upgrade>
|
|
} |