feat(profile): remove transparent_hugepage rule already included in base.

2025-01-19 01:18:16 +01:00 · 2024-09-08 12:36:35 +01:00 · 2024-09-08 12:36:35 +01:00 · 7b04e28835
commit 7b04e28835
parent 98042620f6
35 changed files with 0 additions and 61 deletions
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@ -55,7 +55,6 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/net_cls/ w,
  @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w,
  @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  owner @{tmp}/@{uuid} rw,
  owner @{tmp}/talpid-openvpn-@{uuid} rw,
--- a/apparmor.d/groups/network/tailscale
+++ b/apparmor.d/groups/network/tailscale
@ -27,8 +27,6 @@ profile tailscale @{exec_path} {

  owner @{run}/tailscale/tailscaled.sock rw,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
        @{PROC}/ r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/sys/net/core/somaxconn r,
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@ -69,7 +69,6 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
  owner @{run}/tailscale/{,**} rw,

  @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  @{PROC}/ r,
  @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@ -21,8 +21,6 @@ profile apt-esm-json-hook @{exec_path} {
  /var/lib/ubuntu-advantage/{,**} r,
  /var/lib/ubuntu-advantage/apt-esm/{,**} rw,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  @{run}/cloud-init/cloud-id-nocloud r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@ -23,8 +23,6 @@ profile ubuntu-report @{exec_path} {

  owner @{user_cache_dirs}/ubuntu-report/{,*} r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/ubuntu-report>
 }

--- a/apparmor.d/groups/virt/cni-bandwidth
+++ b/apparmor.d/groups/virt/cni-bandwidth
@ -18,8 +18,6 @@ profile cni-bandwidth @{exec_path} {

  @{exec_path} mr,
  
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-bandwidth>
 }

--- a/apparmor.d/groups/virt/cni-bridge
+++ b/apparmor.d/groups/virt/cni-bridge
@ -12,8 +12,6 @@ profile cni-bridge @{exec_path} {

  @{exec_path} mr,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-bridge>
 }

--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@ -41,8 +41,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
  @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
  @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-calico>
 }

--- a/apparmor.d/groups/virt/cni-firewall
+++ b/apparmor.d/groups/virt/cni-firewall
@ -12,8 +12,6 @@ profile cni-firewall @{exec_path} {

  @{exec_path} mr,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-firewall>
 }

--- a/apparmor.d/groups/virt/cni-flannel
+++ b/apparmor.d/groups/virt/cni-flannel
@ -12,8 +12,6 @@ profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){

  @{exec_path} mr,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-flannel>
 }

--- a/apparmor.d/groups/virt/cni-host-local
+++ b/apparmor.d/groups/virt/cni-host-local
@ -12,8 +12,6 @@ profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){

  @{exec_path} mr,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-host-local>
 }

--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@ -22,8 +22,6 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) {
  @{run}/netns/ r,
  @{run}/netns/cni-@{uuid} rw,
  
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-loopback>
 }

--- a/apparmor.d/groups/virt/cni-portmap
+++ b/apparmor.d/groups/virt/cni-portmap
@ -19,8 +19,6 @@ profile cni-portmap @{exec_path} {

  @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw,
  
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-portmap>
 }

--- a/apparmor.d/groups/virt/cni-tuning
+++ b/apparmor.d/groups/virt/cni-tuning
@ -12,8 +12,6 @@ profile cni-tuning @{exec_path} {

  @{exec_path} mr,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/cni-tuning>
 }

--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -92,7 +92,6 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  owner /var/tmp/** rwkl,

  @{sys}/fs/cgroup/kubepods/** r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/profiles r,
  @{sys}/module/apparmor/parameters/enabled r,

--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@ -49,7 +49,6 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/{,**} rw,
  @{sys}/fs/cgroup/kubepods/{,**} rw,
  @{sys}/kernel/mm/hugepages/ r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  @{PROC}/@{pids}/cgroup r,
  @{PROC}/@{pids}/mountinfo r,
--- a/apparmor.d/groups/virt/docker-proxy
+++ b/apparmor.d/groups/virt/docker-proxy
@ -20,8 +20,6 @@ profile docker-proxy @{exec_path} {

  @{exec_path} mr,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  @{PROC}/sys/net/core/somaxconn r,

  include if exists <local/docker-proxy>
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -75,7 +75,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/cpuset.cpus.effective r,
  @{sys}/fs/cgroup/cpuset.mems.effective r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/profiles r,
  @{sys}/module/apparmor/parameters/enabled r,

--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@ -163,7 +163,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r,

  @{sys}/kernel/mm/hugepages/ r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,
  @{sys}/kernel/security/apparmor/profiles r,

--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@ -27,8 +27,6 @@ profile aa-log @{exec_path} {
  /{run,var}/log/journal/ r,
  /{run,var}/log/journal/@{hex32}/{,*} r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  @{PROC}/sys/kernel/cap_last_cap r,

  /dev/tty@{int} rw,
--- a/apparmor.d/profiles-a-f/arduino-builder
+++ b/apparmor.d/profiles-a-f/arduino-builder
@ -39,8 +39,6 @@ profile arduino-builder @{exec_path} {

  owner @{HOME}/Arduino/{,**} r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
        /tmp/ r,
  owner @{tmp}/cc* rw,
  owner @{tmp}/untitled[0-9]*.tmp/{,**} rw,
--- a/apparmor.d/profiles-a-f/browserpass
+++ b/apparmor.d/profiles-a-f/browserpass
@ -25,8 +25,6 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
  owner @{tmp}/mozilla-temp-@{int} r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  owner @{PROC}/@{pid}/mountinfo r,

  # Inherit Silencer
--- a/apparmor.d/profiles-a-f/dnscrypt-proxy
+++ b/apparmor.d/profiles-a-f/dnscrypt-proxy
@ -52,8 +52,6 @@ profile dnscrypt-proxy @{exec_path} {
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/core/somaxconn r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  include if exists <local/dnscrypt-proxy>
 }

--- a/apparmor.d/profiles-g-l/hugo
+++ b/apparmor.d/profiles-g-l/hugo
@ -40,8 +40,6 @@ profile hugo @{exec_path} {
  owner @{tmp}/hugo_cache/{,**} rwkl,
  owner @{tmp}/go-codehost-@{int} rw,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  @{PROC}/sys/net/core/somaxconn r,

  include if exists <local/hugo>
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@ -30,8 +30,6 @@ profile sbctl @{exec_path} {
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  /dev/pts/@{int} rw,

  # File Inherit
--- a/apparmor.d/profiles-s-z/sing-box
+++ b/apparmor.d/profiles-s-z/sing-box
@ -31,8 +31,6 @@ profile sing-box @{exec_path} {

  owner @{user_share_dirs}/certmagic/** rw,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  
  include if exists <local/sing-box>
 }

--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -70,7 +70,6 @@ profile snap @{exec_path} {
  @{run}/mount/utab r,
  @{run}/snapd.socket rw,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/features/{,**} r,

        @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/profiles-s-z/snap-failure
+++ b/apparmor.d/profiles-s-z/snap-failure
@ -19,8 +19,6 @@ profile snap-failure @{exec_path} {

  /var/lib/snapd/sequence/snapd.json r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  @{PROC}/cmdline r,

  profile systemctl {
--- a/apparmor.d/profiles-s-z/snap-seccomp
+++ b/apparmor.d/profiles-s-z/snap-seccomp
@ -20,8 +20,6 @@ profile snap-seccomp @{exec_path} {

  /var/lib/snapd/seccomp/bpf/{,**} rw,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  owner @{PROC}/@{pids}/mountinfo r,

  deny @{user_share_dirs}/gvfs-metadata/* r,
--- a/apparmor.d/profiles-s-z/snap-update-ns
+++ b/apparmor.d/profiles-s-z/snap-update-ns
@ -47,7 +47,6 @@ profile snap-update-ns @{exec_path} {
  @{sys}/fs/cgroup/{,**/} r,
  @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  @{PROC}/@{pids}/cgroup r,
  @{PROC}/cmdline r,
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -153,7 +153,6 @@ profile snapd @{exec_path} {
  @{sys}/fs/cgroup/user.slice/ r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
  @{sys}/kernel/kexec_loaded r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/features/{,**} r,
  @{sys}/kernel/security/apparmor/profiles r,

--- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
+++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
@ -16,8 +16,6 @@ profile snapd-aa-prompt-listener @{exec_path} {

  @{lib_dirs}/snapd/info r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  @{PROC}/cmdline r,

  include if exists <local/snapd-aa-prompt-listener>
--- a/apparmor.d/profiles-s-z/snapd-apparmor
+++ b/apparmor.d/profiles-s-z/snapd-apparmor
@ -22,8 +22,6 @@ profile snapd-apparmor @{exec_path} {

  /var/lib/snapd/apparmor/profiles/ r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  @{PROC}/cmdline r,

  include if exists <local/snapd-apparmor>
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@ -36,8 +36,6 @@ profile syncthing @{exec_path} {
  /home/ r,
  @{user_sync_dirs}/{,**} rw,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
        @{PROC}/@{pids}/net/route r,
        @{PROC}/sys/net/core/somaxconn r,
  owner @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@ -37,8 +37,6 @@ profile zsysd @{exec_path} flags=(complain) {
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/spl/hostid r,

-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
  /dev/pts/@{int} rw,
  /dev/zfs rw,