diff --git a/apparmor.d/groups/apps/atom b/apparmor.d/groups/apps/atom index 9ea9a4c9..7bcfd87a 100644 --- a/apparmor.d/groups/apps/atom +++ b/apparmor.d/groups/apps/atom @@ -27,7 +27,7 @@ profile atom @{exec_path} { include include - ptrace (read) peer=child-lsb_release, + ptrace (read) peer=lsb_release, ptrace (read) peer=xdg-settings, @{exec_path} mrix, @@ -65,7 +65,7 @@ profile atom @{exec_path} { /{usr/,}bin/nohup rix, /{usr/,}bin/cat rix, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-settings rPUx, diff --git a/apparmor.d/groups/apps/code b/apparmor.d/groups/apps/code index ba8478bf..deacf0eb 100644 --- a/apparmor.d/groups/apps/code +++ b/apparmor.d/groups/apps/code @@ -25,7 +25,7 @@ profile code @{exec_path} { include include - ptrace (read) peer=child-lsb_release, + ptrace (read) peer=lsb_release, @{exec_path} mrix, @@ -47,7 +47,7 @@ profile code @{exec_path} { #/{usr/,}bin/which{,.debianutils} rix, #/{usr/,}sbin/ifconfig rix, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/git rPUx, diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index e7476e04..6ef33f84 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -117,7 +117,7 @@ profile dropbox @{exec_path} { # External apps /{usr/,}bin/xdg-open rCx -> open, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, # Allowed apps to open /{usr/,}lib/firefox/firefox rPUx, diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/groups/apps/filezilla index 3120b2f1..bdcf2f38 100644 --- a/apparmor.d/groups/apps/filezilla +++ b/apparmor.d/groups/apps/filezilla @@ -27,7 +27,7 @@ profile filezilla @{exec_path} { # When using SFTP protocol /{usr/,}bin/fzsftp rPx, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, owner @{HOME}/ r, owner @{user_config_dirs}/filezilla/ rw, diff --git a/apparmor.d/groups/apps/thunderbird b/apparmor.d/groups/apps/thunderbird index bc30b2e9..46d3d62e 100644 --- a/apparmor.d/groups/apps/thunderbird +++ b/apparmor.d/groups/apps/thunderbird @@ -166,7 +166,7 @@ profile thunderbird @{exec_path} { # Silencer deny /{usr/,}lib/thunderbird/** w, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/exo-open rCx -> open, /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open, diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index 8e424991..4908da8c 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -49,7 +49,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 471384eb..f3efd5d3 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -68,7 +68,7 @@ profile apt-listchanges @{exec_path} { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 603f1aed..9faf2ba4 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -17,7 +17,7 @@ profile command-not-found @{exec_path} { @{exec_path} r, /{usr/,}bin/python3.[0-9]* r, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /var/lib/command-not-found/commands.db rwk, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 3c7d3b23..bd958a39 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -42,7 +42,7 @@ profile dpkg-preconfigure @{exec_path} { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index 26b021e3..1cdb4707 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -54,7 +54,7 @@ profile reportbug @{exec_path} { # /{usr/,}{s,}bin/exim4 rPx, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/pager rPx -> child-pager, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index b3a7cbb2..65adc15d 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -96,7 +96,7 @@ profile synaptic @{exec_path} { /{usr/,}sbin/update-command-not-found rPx, /usr/share/command-not-found/cnf-update-db rPx, /{usr/,}sbin/update-apt-xapian-index rPx, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/deborphan rPx, /{usr/,}bin/tasksel rPx, /{usr/,}bin/pkexec rPx, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 2030c6f5..a98164bd 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -67,7 +67,7 @@ profile brave @{exec_path} { # For storing passwords externally /{usr/,}bin/keepassxc-proxy rPUx, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, # no new privs #deny /{usr/,}bin/xdg-desktop-menu rx, diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium index 5325b726..17923017 100644 --- a/apparmor.d/groups/browsers/chromium-chromium +++ b/apparmor.d/groups/browsers/chromium-chromium @@ -40,7 +40,7 @@ profile chromium-chromium @{exec_path} { ptrace (trace) peer=@{profile_name}, ptrace (read) peer=xdg-settings, ptrace (read) peer=keepassxc-proxy, - ptrace (read) peer=child-lsb_release, + ptrace (read) peer=lsb_release, signal (send) set=(term, kill) peer=keepassxc-proxy, @@ -59,7 +59,7 @@ profile chromium-chromium @{exec_path} { /{usr/,}bin/keepassxc-proxy rPUx, /{usr/,}bin/browserpass rPx, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-mime rPUx, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-settings rPUx, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 617db1d3..c4221b3e 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -179,7 +179,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/keepassxc-proxy rPUx, # For storing passwords externally /{usr/,}bin/browserpass rPx, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/exo-open rCx -> open, diff --git a/apparmor.d/groups/browsers/google-chrome-chrome b/apparmor.d/groups/browsers/google-chrome-chrome index 17903454..583bd8f8 100644 --- a/apparmor.d/groups/browsers/google-chrome-chrome +++ b/apparmor.d/groups/browsers/google-chrome-chrome @@ -59,7 +59,7 @@ profile google-chrome-chrome @{exec_path} { # For storing passwords externally /{usr/,}bin/keepassxc-proxy rPUx, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, # no new privs diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera index 07d4cca8..9cfdb113 100644 --- a/apparmor.d/groups/browsers/opera +++ b/apparmor.d/groups/browsers/opera @@ -55,7 +55,7 @@ profile opera @{exec_path} { @{OPERA_INSTALLDIR}/opera_crashreporter rPx, @{OPERA_INSTALLDIR}/opera_autoupdate krix, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-mime rPUx, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/xdg-settings rPUx, diff --git a/apparmor.d/profiles-a-l/adequate b/apparmor.d/profiles-a-l/adequate index fa610246..a76e9673 100644 --- a/apparmor.d/profiles-a-l/adequate +++ b/apparmor.d/profiles-a-l/adequate @@ -91,7 +91,7 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-l/amarok b/apparmor.d/profiles-a-l/amarok index e69e8666..7d709a69 100644 --- a/apparmor.d/profiles-a-l/amarok +++ b/apparmor.d/profiles-a-l/amarok @@ -68,7 +68,7 @@ profile amarok @{exec_path} { /{usr/,}bin/knotify4 rPUx, /{usr/,}bin/ffmpeg rPUx, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, # Which media files Amarok should be able to open / r, diff --git a/apparmor.d/profiles-a-l/anki b/apparmor.d/profiles-a-l/anki index 4a38062c..bd2bf6f3 100644 --- a/apparmor.d/profiles-a-l/anki +++ b/apparmor.d/profiles-a-l/anki @@ -41,7 +41,7 @@ profile anki @{exec_path} { /{usr/,}{s,}bin/ldconfig rix, /{usr/,}bin/ r, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/mpv rCx -> mpv, # For recording sounds while creating decks diff --git a/apparmor.d/profiles-a-l/aspell-autobuildhash b/apparmor.d/profiles-a-l/aspell-autobuildhash index b7474b00..34603739 100644 --- a/apparmor.d/profiles-a-l/aspell-autobuildhash +++ b/apparmor.d/profiles-a-l/aspell-autobuildhash @@ -63,7 +63,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-l/check-support-status-hook b/apparmor.d/profiles-a-l/check-support-status-hook index d597a2a6..fadcbb05 100644 --- a/apparmor.d/profiles-a-l/check-support-status-hook +++ b/apparmor.d/profiles-a-l/check-support-status-hook @@ -84,7 +84,7 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-l/dkms b/apparmor.d/profiles-a-l/dkms index 129fd400..8f4526b1 100644 --- a/apparmor.d/profiles-a-l/dkms +++ b/apparmor.d/profiles-a-l/dkms @@ -54,7 +54,7 @@ profile dkms @{exec_path} { /{usr/,}lib/llvm-[0-9]*/bin/clang rix, /{usr/,}bin/kmod rCx -> kmod, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}lib/linux-kbuild-*/scripts/** rix, /{usr/,}lib/modules/*/build/scripts/** rix, diff --git a/apparmor.d/profiles-a-l/frontend b/apparmor.d/profiles-a-l/frontend index 1e565cc5..46a762f5 100644 --- a/apparmor.d/profiles-a-l/frontend +++ b/apparmor.d/profiles-a-l/frontend @@ -69,7 +69,7 @@ profile frontend @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-l/hardinfo b/apparmor.d/profiles-a-l/hardinfo index dfed7606..ea1b544c 100644 --- a/apparmor.d/profiles-a-l/hardinfo +++ b/apparmor.d/profiles-a-l/hardinfo @@ -48,7 +48,7 @@ profile hardinfo @{exec_path} { /{usr/,}bin/valgrind{,.bin} rix, /{usr/,}lib/@{multiarch}/valgrind/memcheck-*-linux rix, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, /{usr/,}bin/ccache rCx -> ccache, /{usr/,}bin/kmod rCx -> kmod, diff --git a/apparmor.d/profiles-a-l/hw-probe b/apparmor.d/profiles-a-l/hw-probe index bf428473..d4f74177 100644 --- a/apparmor.d/profiles-a-l/hw-probe +++ b/apparmor.d/profiles-a-l/hw-probe @@ -33,7 +33,7 @@ profile hw-probe @{exec_path} { /{usr/,}bin/efivar rix, /{usr/,}bin/efibootmgr rix, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}{s,}bin/dkms rPx, diff --git a/apparmor.d/profiles-a-l/kodi b/apparmor.d/profiles-a-l/kodi index 46efaa73..b756d8e6 100644 --- a/apparmor.d/profiles-a-l/kodi +++ b/apparmor.d/profiles-a-l/kodi @@ -35,7 +35,7 @@ profile kodi @{exec_path} { /{usr/,}bin/dirname rix, /{usr/,}{s,}bin/ldconfig rix, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/df rCx -> df, /usr/share/kodi/{,**} r, diff --git a/apparmor.d/profiles-a-l/lsb_release b/apparmor.d/profiles-a-l/lsb_release deleted file mode 100644 index d15f52f1..00000000 --- a/apparmor.d/profiles-a-l/lsb_release +++ /dev/null @@ -1,55 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# SPDX-License-Identifier: GPL-2.0-only - -# Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> lsb_release" exec transitions from -# other profiles. We want to confine the lsb_release(1) utility when it -# is invoked from other confined applications, but not when it is used -# in regular (unconfined) shell scripts or run directly by the user. - -abi , - -include - -# Do not attach to /{usr/,}bin/lsb_release by default -profile lsb_release { - include - include - - owner @{PROC}/@{pid}/fd/ r, - - /dev/tty rw, - - /usr/bin/lsb_release r, - /usr/bin/python3.{1,}[0-9] mr, - - /etc/debian_version r, - /etc/default/apport r, - /etc/dpkg/origins/** r, - /etc/lsb-release r, - /etc/lsb-release.d/ r, - - /{usr/,}bin/bash ixr, - /{usr/,}bin/dash ixr, - /usr/bin/basename ixr, - /usr/bin/dpkg-query ixr, - /usr/bin/getopt ixr, - /usr/bin/sed ixr, - /usr/bin/tr ixr, - - # TODO - many more permissions needed for this to work - deny /usr/bin/apt-cache x, - - /usr/bin/ r, - /usr/include/python*/pyconfig.h r, - /usr/share/distro-info/** r, - /usr/share/dpkg/** r, - /usr/share/terminfo/** r, - /var/lib/dpkg/** r, - - # file_inherit - deny /tmp/gtalkplugin.log w, - - include if exists -} diff --git a/apparmor.d/profiles-m-z/mumble b/apparmor.d/profiles-m-z/mumble index 359948a1..72b25d1a 100644 --- a/apparmor.d/profiles-m-z/mumble +++ b/apparmor.d/profiles-m-z/mumble @@ -35,7 +35,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, # Mumble home files diff --git a/apparmor.d/profiles-m-z/pam-auth-update b/apparmor.d/profiles-m-z/pam-auth-update index 4fee40ff..345341b5 100644 --- a/apparmor.d/profiles-m-z/pam-auth-update +++ b/apparmor.d/profiles-m-z/pam-auth-update @@ -52,7 +52,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-m-z/psi b/apparmor.d/profiles-m-z/psi index 624000ae..5b352657 100644 --- a/apparmor.d/profiles-m-z/psi +++ b/apparmor.d/profiles-m-z/psi @@ -27,7 +27,7 @@ profile psi @{exec_path} { include include - signal (send) set=(term, kill) peer=child-lsb_release, + signal (send) set=(term, kill) peer=lsb_release, network inet dgram, network inet6 dgram, @@ -37,7 +37,7 @@ profile psi @{exec_path} { @{exec_path} mr, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, # Needed for GPG/PGP support diff --git a/apparmor.d/profiles-m-z/psi-plus b/apparmor.d/profiles-m-z/psi-plus index 47113214..b3187bcd 100644 --- a/apparmor.d/profiles-m-z/psi-plus +++ b/apparmor.d/profiles-m-z/psi-plus @@ -27,7 +27,7 @@ profile psi-plus @{exec_path} { include include - signal (send) set=(term, kill) peer=child-lsb_release, + signal (send) set=(term, kill) peer=lsb_release, network inet dgram, network inet6 dgram, @@ -37,7 +37,7 @@ profile psi-plus @{exec_path} { @{exec_path} mr, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/xdg-open rCx -> open, # Needed for GPG/PGP support diff --git a/apparmor.d/profiles-m-z/ucf b/apparmor.d/profiles-m-z/ucf index 1d925350..95319d5b 100644 --- a/apparmor.d/profiles-m-z/ucf +++ b/apparmor.d/profiles-m-z/ucf @@ -105,7 +105,7 @@ profile ucf @{exec_path} flags=(complain) { include include capability dac_read_search, - /{usr/,}bin/lsb_release rPx -> child-lsb_release, + /{usr/,}bin/lsb_release rPx -> lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r,