From 7b04e288358b6d4ad6ce3b19a26e4fb4052f361a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 8 Sep 2024 12:36:35 +0100 Subject: [PATCH] feat(profile): remove transparent_hugepage rule already included in base. --- apparmor.d/groups/network/mullvad-daemon | 1 - apparmor.d/groups/network/tailscale | 2 -- apparmor.d/groups/network/tailscaled | 1 - apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 -- apparmor.d/groups/ubuntu/ubuntu-report | 2 -- apparmor.d/groups/virt/cni-bandwidth | 2 -- apparmor.d/groups/virt/cni-bridge | 2 -- apparmor.d/groups/virt/cni-calico | 2 -- apparmor.d/groups/virt/cni-firewall | 2 -- apparmor.d/groups/virt/cni-flannel | 2 -- apparmor.d/groups/virt/cni-host-local | 2 -- apparmor.d/groups/virt/cni-loopback | 2 -- apparmor.d/groups/virt/cni-portmap | 2 -- apparmor.d/groups/virt/cni-tuning | 2 -- apparmor.d/groups/virt/containerd | 1 - apparmor.d/groups/virt/containerd-shim-runc-v2 | 1 - apparmor.d/groups/virt/docker-proxy | 2 -- apparmor.d/groups/virt/dockerd | 1 - apparmor.d/groups/virt/k3s | 1 - apparmor.d/profiles-a-f/aa-log | 2 -- apparmor.d/profiles-a-f/arduino-builder | 2 -- apparmor.d/profiles-a-f/browserpass | 2 -- apparmor.d/profiles-a-f/dnscrypt-proxy | 2 -- apparmor.d/profiles-g-l/hugo | 2 -- apparmor.d/profiles-s-z/sbctl | 2 -- apparmor.d/profiles-s-z/sing-box | 2 -- apparmor.d/profiles-s-z/snap | 1 - apparmor.d/profiles-s-z/snap-failure | 2 -- apparmor.d/profiles-s-z/snap-seccomp | 2 -- apparmor.d/profiles-s-z/snap-update-ns | 1 - apparmor.d/profiles-s-z/snapd | 1 - apparmor.d/profiles-s-z/snapd-aa-prompt-listener | 2 -- apparmor.d/profiles-s-z/snapd-apparmor | 2 -- apparmor.d/profiles-s-z/syncthing | 2 -- apparmor.d/profiles-s-z/zsysd | 2 -- 35 files changed, 61 deletions(-) diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index dcdb1738..a5721348 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -55,7 +55,6 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, owner @{tmp}/@{uuid} rw, owner @{tmp}/talpid-openvpn-@{uuid} rw, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 5c3b6221..37029973 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -27,8 +27,6 @@ profile tailscale @{exec_path} { owner @{run}/tailscale/tailscaled.sock rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 121697da..dd3f253d 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -69,7 +69,6 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { owner @{run}/tailscale/{,**} rw, @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/ r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 54c11667..4ce754d6 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -21,8 +21,6 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/{,**} r, /var/lib/ubuntu-advantage/apt-esm/{,**} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{run}/cloud-init/cloud-id-nocloud r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 5edc9ebd..54e44453 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -23,8 +23,6 @@ profile ubuntu-report @{exec_path} { owner @{user_cache_dirs}/ubuntu-report/{,*} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth index 21914faf..0159f603 100644 --- a/apparmor.d/groups/virt/cni-bandwidth +++ b/apparmor.d/groups/virt/cni-bandwidth @@ -18,8 +18,6 @@ profile cni-bandwidth @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge index 37de32ae..70347fe5 100644 --- a/apparmor.d/groups/virt/cni-bridge +++ b/apparmor.d/groups/virt/cni-bridge @@ -12,8 +12,6 @@ profile cni-bridge @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 7c39a7ad..47d5590a 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -41,8 +41,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/ip_forward rw, @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall index 866b9dc9..028f5bd6 100644 --- a/apparmor.d/groups/virt/cni-firewall +++ b/apparmor.d/groups/virt/cni-firewall @@ -12,8 +12,6 @@ profile cni-firewall @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel index 05929a64..ac473fbc 100644 --- a/apparmor.d/groups/virt/cni-flannel +++ b/apparmor.d/groups/virt/cni-flannel @@ -12,8 +12,6 @@ profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){ @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local index bf555cfd..50b8f315 100644 --- a/apparmor.d/groups/virt/cni-host-local +++ b/apparmor.d/groups/virt/cni-host-local @@ -12,8 +12,6 @@ profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){ @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index d05a303d..a7d24e30 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -22,8 +22,6 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) { @{run}/netns/ r, @{run}/netns/cni-@{uuid} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index db29f252..bc4a00fa 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -19,8 +19,6 @@ profile cni-portmap @{exec_path} { @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning index ee7133b3..c0e3a3fd 100644 --- a/apparmor.d/groups/virt/cni-tuning +++ b/apparmor.d/groups/virt/cni-tuning @@ -12,8 +12,6 @@ profile cni-tuning @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index f85a3571..9ae6596e 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -92,7 +92,6 @@ profile containerd @{exec_path} flags=(attach_disconnected) { owner /var/tmp/** rwkl, @{sys}/fs/cgroup/kubepods/** r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index c705c0cc..428473f5 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -49,7 +49,6 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index d549168e..4bb1d949 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -20,8 +20,6 @@ profile docker-proxy @{exec_path} { @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/net/core/somaxconn r, include if exists diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index f552c528..64bba083 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -75,7 +75,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 5905d489..e1cded61 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -163,7 +163,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log index 6d1f690f..74fbebcb 100644 --- a/apparmor.d/profiles-a-f/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -27,8 +27,6 @@ profile aa-log @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/{,*} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/kernel/cap_last_cap r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder index 23f8628e..d35004e3 100644 --- a/apparmor.d/profiles-a-f/arduino-builder +++ b/apparmor.d/profiles-a-f/arduino-builder @@ -39,8 +39,6 @@ profile arduino-builder @{exec_path} { owner @{HOME}/Arduino/{,**} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /tmp/ r, owner @{tmp}/cc* rw, owner @{tmp}/untitled[0-9]*.tmp/{,**} rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index cfc5d3b0..f35e0c64 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -25,8 +25,6 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, owner @{tmp}/mozilla-temp-@{int} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pid}/mountinfo r, # Inherit Silencer diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 03d47e39..6727b820 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -52,8 +52,6 @@ profile dnscrypt-proxy @{exec_path} { @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/core/somaxconn r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index fcb58502..9cf73dc4 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -40,8 +40,6 @@ profile hugo @{exec_path} { owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/sys/net/core/somaxconn r, include if exists diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 938ecb63..57d8fb5e 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -30,8 +30,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/pts/@{int} rw, # File Inherit diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index eb9866b5..221da961 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -31,8 +31,6 @@ profile sing-box @{exec_path} { owner @{user_share_dirs}/certmagic/** rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index f59fd922..158744d0 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -70,7 +70,6 @@ profile snap @{exec_path} { @{run}/mount/utab r, @{run}/snapd.socket rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index df8fe47f..61372b16 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -19,8 +19,6 @@ profile snap-failure @{exec_path} { /var/lib/snapd/sequence/snapd.json r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, profile systemctl { diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 0da410bc..4c34746e 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -20,8 +20,6 @@ profile snap-seccomp @{exec_path} { /var/lib/snapd/seccomp/bpf/{,**} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pids}/mountinfo r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index e9315f5c..2092ab1c 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -47,7 +47,6 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/@{pids}/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index fa5ef195..672ae2f7 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -153,7 +153,6 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/kexec_loaded r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener index 3e3045b8..6cc8801a 100644 --- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener @@ -16,8 +16,6 @@ profile snapd-aa-prompt-listener @{exec_path} { @{lib_dirs}/snapd/info r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index 22a9c5fa..edd266c2 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -22,8 +22,6 @@ profile snapd-apparmor @{exec_path} { /var/lib/snapd/apparmor/profiles/ r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/cmdline r, include if exists diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 50b04668..b65a5614 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -36,8 +36,6 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - @{PROC}/@{pids}/net/route r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index c325e216..eabe2d62 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -37,8 +37,6 @@ profile zsysd @{exec_path} flags=(complain) { @{PROC}/cmdline r, @{PROC}/sys/kernel/spl/hostid r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/pts/@{int} rw, /dev/zfs rw,