mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-30 06:45:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

child-lsb_release -> lsb_release.

Browse source
This commit is contained in:
Alexandre Pujol 2021-09-15 16:30:28 +01:00
parent 2a6b2bd189
commit 6c0ae4ddc1
Failed to generate hash of commit
32 changed files with 36 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/apps/atom
View file

@ -27,7 +27,7 @@ profile atom @{exec_path} {
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
ptrace (read) peer=child-lsb_release,
ptrace (read) peer=lsb_release,
ptrace (read) peer=xdg-settings,
@{exec_path} mrix,
@ -65,7 +65,7 @@ profile atom @{exec_path} {
/{usr/,}bin/nohup rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,

4
apparmor.d/groups/apps/code
View file

@ -25,7 +25,7 @@ profile code @{exec_path} {
include <abstractions/deny-dconf>
include <abstractions/deny-root-dir-access>
ptrace (read) peer=child-lsb_release,
ptrace (read) peer=lsb_release,
@{exec_path} mrix,
@ -47,7 +47,7 @@ profile code @{exec_path} {
#/{usr/,}bin/which{,.debianutils} rix,
#/{usr/,}sbin/ifconfig rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/git rPUx,

2
apparmor.d/groups/apps/dropbox
View file

@ -117,7 +117,7 @@ profile dropbox @{exec_path} {
# External apps
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,

2
apparmor.d/groups/apps/filezilla
View file

@ -27,7 +27,7 @@ profile filezilla @{exec_path} {
# When using SFTP protocol
/{usr/,}bin/fzsftp rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
owner @{HOME}/ r,
owner @{user_config_dirs}/filezilla/ rw,

2
apparmor.d/groups/apps/thunderbird
View file

@ -166,7 +166,7 @@ profile thunderbird @{exec_path} {
# Silencer
deny /{usr/,}lib/thunderbird/** w,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,

2
apparmor.d/groups/apt/apt-listbugs
View file

@ -49,7 +49,7 @@ profile apt-listbugs @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/groups/apt/apt-listchanges
View file

@ -68,7 +68,7 @@ profile apt-listchanges @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/groups/apt/command-not-found
View file

@ -17,7 +17,7 @@ profile command-not-found @{exec_path} {
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/var/lib/command-not-found/commands.db rwk,

2
apparmor.d/groups/apt/dpkg-preconfigure
View file

@ -42,7 +42,7 @@ profile dpkg-preconfigure @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/groups/apt/reportbug
View file

@ -54,7 +54,7 @@ profile reportbug @{exec_path} {
#
/{usr/,}{s,}bin/exim4 rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/pager rPx -> child-pager,

2
apparmor.d/groups/apt/synaptic
View file

@ -96,7 +96,7 @@ profile synaptic @{exec_path} {
/{usr/,}sbin/update-command-not-found rPx,
/usr/share/command-not-found/cnf-update-db rPx,
/{usr/,}sbin/update-apt-xapian-index rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/deborphan rPx,
/{usr/,}bin/tasksel rPx,
/{usr/,}bin/pkexec rPx,

2
apparmor.d/groups/browsers/brave
View file

@ -67,7 +67,7 @@ profile brave @{exec_path} {
# For storing passwords externally
/{usr/,}bin/keepassxc-proxy rPUx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
# no new privs
#deny /{usr/,}bin/xdg-desktop-menu rx,

4
apparmor.d/groups/browsers/chromium-chromium
View file

@ -40,7 +40,7 @@ profile chromium-chromium @{exec_path} {
ptrace (trace) peer=@{profile_name},
ptrace (read) peer=xdg-settings,
ptrace (read) peer=keepassxc-proxy,
ptrace (read) peer=child-lsb_release,
ptrace (read) peer=lsb_release,
signal (send) set=(term, kill) peer=keepassxc-proxy,
@ -59,7 +59,7 @@ profile chromium-chromium @{exec_path} {
/{usr/,}bin/keepassxc-proxy rPUx,
/{usr/,}bin/browserpass rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-mime rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,

2
apparmor.d/groups/browsers/firefox
View file

@ -179,7 +179,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/keepassxc-proxy rPUx, # For storing passwords externally
/{usr/,}bin/browserpass rPx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,

2
apparmor.d/groups/browsers/google-chrome-chrome
View file

@ -59,7 +59,7 @@ profile google-chrome-chrome @{exec_path} {
# For storing passwords externally
/{usr/,}bin/keepassxc-proxy rPUx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# no new privs

2
apparmor.d/groups/browsers/opera
View file

@ -55,7 +55,7 @@ profile opera @{exec_path} {
@{OPERA_INSTALLDIR}/opera_crashreporter rPx,
@{OPERA_INSTALLDIR}/opera_autoupdate krix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-mime rPUx,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/xdg-settings rPUx,

2
apparmor.d/profiles-a-l/adequate
View file

@ -91,7 +91,7 @@ profile adequate @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/profiles-a-l/amarok
View file

@ -68,7 +68,7 @@ profile amarok @{exec_path} {
/{usr/,}bin/knotify4 rPUx,
/{usr/,}bin/ffmpeg rPUx,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
# Which media files Amarok should be able to open
/ r,

2
apparmor.d/profiles-a-l/anki
View file

@ -41,7 +41,7 @@ profile anki @{exec_path} {
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/ r,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/mpv rCx -> mpv,
# For recording sounds while creating decks

2
apparmor.d/profiles-a-l/aspell-autobuildhash
View file

@ -63,7 +63,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/profiles-a-l/check-support-status-hook
View file

@ -84,7 +84,7 @@ profile check-support-status-hook @{exec_path} {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/profiles-a-l/dkms
View file

@ -54,7 +54,7 @@ profile dkms @{exec_path} {
/{usr/,}lib/llvm-[0-9]*/bin/clang rix,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}lib/linux-kbuild-*/scripts/** rix,
/{usr/,}lib/modules/*/build/scripts/** rix,

2
apparmor.d/profiles-a-l/frontend
View file

@ -69,7 +69,7 @@ profile frontend @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

2
apparmor.d/profiles-a-l/hardinfo
View file

@ -48,7 +48,7 @@ profile hardinfo @{exec_path} {
/{usr/,}bin/valgrind{,.bin} rix,
/{usr/,}lib/@{multiarch}/valgrind/memcheck-*-linux rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/ccache rCx -> ccache,
/{usr/,}bin/kmod rCx -> kmod,

2
apparmor.d/profiles-a-l/hw-probe
View file

@ -33,7 +33,7 @@ profile hw-probe @{exec_path} {
/{usr/,}bin/efivar rix,
/{usr/,}bin/efibootmgr rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}{s,}bin/dkms rPx,

2
apparmor.d/profiles-a-l/kodi
View file

@ -35,7 +35,7 @@ profile kodi @{exec_path} {
/{usr/,}bin/dirname rix,
/{usr/,}{s,}bin/ldconfig rix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/df rCx -> df,
/usr/share/kodi/{,**} r,

55
apparmor.d/profiles-a-l/lsb_release
View file

@ -1,55 +0,0 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only
# Note: This profile does not specify an attachment path because it is
# intended to be used only via "Px -> lsb_release" exec transitions from
# other profiles. We want to confine the lsb_release(1) utility when it
# is invoked from other confined applications, but not when it is used
# in regular (unconfined) shell scripts or run directly by the user.
abi <abi/3.0>,
include <tunables/global>
# Do not attach to /{usr/,}bin/lsb_release by default
profile lsb_release {
include <abstractions/base>
include <abstractions/python>
owner @{PROC}/@{pid}/fd/ r,
/dev/tty rw,
/usr/bin/lsb_release r,
/usr/bin/python3.{1,}[0-9] mr,
/etc/debian_version r,
/etc/default/apport r,
/etc/dpkg/origins/** r,
/etc/lsb-release r,
/etc/lsb-release.d/ r,
/{usr/,}bin/bash ixr,
/{usr/,}bin/dash ixr,
/usr/bin/basename ixr,
/usr/bin/dpkg-query ixr,
/usr/bin/getopt ixr,
/usr/bin/sed ixr,
/usr/bin/tr ixr,
# TODO - many more permissions needed for this to work
deny /usr/bin/apt-cache x,
/usr/bin/ r,
/usr/include/python*/pyconfig.h r,
/usr/share/distro-info/** r,
/usr/share/dpkg/** r,
/usr/share/terminfo/** r,
/var/lib/dpkg/** r,
# file_inherit
deny /tmp/gtalkplugin.log w,
include if exists <local/lsb_release>
}

2
apparmor.d/profiles-m-z/mumble
View file

@ -35,7 +35,7 @@ profile mumble @{exec_path} {
@{exec_path} mrix,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# Mumble home files

2
apparmor.d/profiles-m-z/pam-auth-update
View file

@ -52,7 +52,7 @@ profile pam-auth-update @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,

4
apparmor.d/profiles-m-z/psi
View file

@ -27,7 +27,7 @@ profile psi @{exec_path} {
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=child-lsb_release,
signal (send) set=(term, kill) peer=lsb_release,
network inet dgram,
network inet6 dgram,
@ -37,7 +37,7 @@ profile psi @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# Needed for GPG/PGP support

4
apparmor.d/profiles-m-z/psi-plus
View file

@ -27,7 +27,7 @@ profile psi-plus @{exec_path} {
include <abstractions/thumbnails-cache-read>
include <abstractions/deny-root-dir-access>
signal (send) set=(term, kill) peer=child-lsb_release,
signal (send) set=(term, kill) peer=lsb_release,
network inet dgram,
network inet6 dgram,
@ -37,7 +37,7 @@ profile psi-plus @{exec_path} {
@{exec_path} mr,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
# Needed for GPG/PGP support

2
apparmor.d/profiles-m-z/ucf
View file

@ -105,7 +105,7 @@ profile ucf @{exec_path} flags=(complain) {
include <abstractions/fontconfig-cache-read>
include <abstractions/freedesktop.org>
capability dac_read_search,
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/lsb_release rPx -> lsb_release,
/{usr/,}bin/hostname rix,
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,