From 7716c8a191a86a2c67c86ae861b8600db5e3de06 Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Tue, 27 Aug 2024 21:00:20 +0800
Subject: [PATCH] Rewrite the profile for ufw

---
 apparmor.d/profiles-s-z/ufw | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index add5865e..55437c18 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -8,8 +8,9 @@ include <tunables/global>
 
 @{exec_path} = @{bin}/ufw
 profile ufw @{exec_path} {
-
     include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/python>
 
     capability dac_read_search,
     capability net_admin,
@@ -21,34 +22,28 @@ profile ufw @{exec_path} {
     @{exec_path} mr,
 
     @{bin}/ r,
-    @{bin}/python3* ix,
+    @{bin}/env r,
+    @{bin}/python3.@{int} ix,
     @{bin}/cat ix,
     @{bin}/xtables-nft-multi ix,
 
     @{lib}/ufw/ufw-init ix,
 
-    @{PROC}/@{pid}/stat r,
-    @{PROC}/@{pid}/fd/ r,
-    @{PROC}/@{pid}/net/ip_tables_names r,
-
-    owner @{bin}/env r,
-
     /etc/ufw/{,**} rwk,
 
     /etc/default/ufw r,
 
-    /run/ufw.lock wk,
-
-    /etc/gai.conf r,
-    /etc/nsswitch.conf r,
-    /etc/passwd r,
-    /etc/services r,
+    @{run}/ufw.lock rwk,
 
     /var/tmp/@{rand8} rw,
     /var/tmp/tmp* rw,
     /tmp/@{rand8} rw,
     /tmp/tmp* rw,
 
+    @{PROC}/@{pid}/stat r,
+    @{PROC}/@{pid}/fd/ r,
+    @{PROC}/@{pid}/net/ip_tables_names r,
+
     /dev/pts/[0-9]* rw,
     /dev/tty rw,