feat(abs): deny apparmor/.null in the base abstraction.

2025-01-18 17:08:09 +01:00 · 2024-03-03 11:51:39 +00:00 · 2024-03-03 11:51:39 +00:00 · 7e8f854b16
commit 7e8f854b16
parent ba6172bb8c
23 changed files with 2 additions and 41 deletions
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -24,3 +24,5 @@
  /etc/locale.conf r,

  @{sys}/devices/system/cpu/possible r,
+
+  deny /apparmor/.null rw,
--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@ -46,7 +46,5 @@ profile child-systemctl flags=(attach_disconnected) {

  @{run}/systemd/private rw,

-  deny /apparmor/.null rw,
-
  include if exists <local/child-systemctl>
 }
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -116,7 +116,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {

  # Inherit silencer
  deny @{HOME}/** r,
-  deny /apparmor/.null rw,
  deny network inet stream,
  deny network inet6 stream,

--- a/apparmor.d/groups/pacman/pacdiff
+++ b/apparmor.d/groups/pacman/pacdiff
@ -44,8 +44,5 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
  /dev/tty rw,
  /dev/pts/@{int} rw,

-  # Inherit Silencer
-  deny /apparmor/.null rw,
-
  include if exists <local/pacdiff>
 }
--- a/apparmor.d/groups/pacman/pacman-conf
+++ b/apparmor.d/groups/pacman/pacman-conf
@ -22,7 +22,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
  # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,
-  deny /apparmor/.null rw,

  include if exists <local/pacman-conf>
 }
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@ -29,7 +29,6 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) {
  /dev/tty rw,

  # Inherit Silencer
-  deny /apparmor/.null rw,
  deny network inet stream,
  deny network inet6 stream,
  deny unix (receive) type=stream,
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@ -46,7 +46,6 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  # # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,
-  # deny /apparmor/.null rw,

  include if exists <local/pacman-hook-mkinitcpio>
 }
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -51,7 +51,6 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cgroup r,

  deny @{user_share_dirs}/gvfs-metadata/* r,
-  deny /apparmor/.null rw,
  deny network inet stream,
  deny network inet6 stream,

--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@ -28,7 +28,5 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
  /dev/tty@{int} rw,
  /dev/pts/@{int} rw,

-  deny /apparmor/.null rw,
-
  include if exists <local/systemd-binfmt>
 }
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@ -30,8 +30,5 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/firmware/dmi/entries/*/raw r,

-  # Inherit silencer
-  deny /apparmor/.null rw,
-
  include if exists <local/systemd-detect-virt>
 }
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@ -25,7 +25,5 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  owner @{PROC}/@{pid}/stat r,

-  deny /apparmor/.null rw,
-
  include if exists <local/systemd-hwdb>
 }
--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@ -29,8 +29,5 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {

  @{PROC}/sys/** rw,

-  # Inherit Silencer
-  deny /apparmor/.null rw,
-
  include if exists <local/systemd-sysctl>
 }
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@ -47,7 +47,6 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,
-  deny /apparmor/.null rw,

  include if exists <local/systemd-sysusers>
 }
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@ -57,7 +57,5 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
  @{PROC}/1/cmdline r,
  @{PROC}/sched_debug w,

-  deny /apparmor/.null rw,
-
  include if exists <local/systemd-tmpfiles>
 }
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -129,8 +129,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  /dev/ rw,
  /dev/** rwk,

-  deny /apparmor/.null rw,
-
  profile systemctl flags=(attach_disconnected,complain) {
    include <abstractions/base>
    include <abstractions/systemd-common>
--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@ -44,7 +44,5 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/mounts r,

-  deny /apparmor/.null rw,
-
  include if exists <local/apparmor_parser>
 }
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -111,9 +111,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/fd/ r,

-  # Inherit silencer
-  deny /apparmor/.null rw,
-
  profile kmod {
    include <abstractions/base>
    include <abstractions/consoles>
@ -134,8 +131,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) {

    @{sys}/module/compression r,

-    deny /apparmor/.null rw,
-
    include if exists <local/dkms_kmod>
  }

--- a/apparmor.d/profiles-a-f/findmnt
+++ b/apparmor.d/profiles-a-f/findmnt
@ -23,7 +23,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
  @{PROC}/@{pids}/mountinfo r,

  # File Inherit
-  deny /apparmor/.null rw,
  deny unix (receive) type=stream,

  include if exists <local/findmnt>
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@ -37,7 +37,5 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {

  /dev/tty rw,

-  deny /apparmor/.null rw,
-
  include if exists <local/firecfg>
 }
--- a/apparmor.d/profiles-g-l/gio-querymodules
+++ b/apparmor.d/profiles-g-l/gio-querymodules
@ -19,7 +19,6 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
  @{lib}/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
  @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} w,

-  deny /apparmor/.null rw,
  deny network inet stream,
  deny network inet6 stream,

--- a/apparmor.d/profiles-g-l/gtk-update-icon-cache
+++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache
@ -26,7 +26,5 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/**/.icon-theme.cache rw,
  owner @{user_share_dirs}/**/icon-theme.cache rw,

-  deny /apparmor/.null rw,
-
  include if exists <local/gtk-update-icon-cache>
 }
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@ -71,7 +71,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
  /dev/tty@{int} rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,
-  deny /apparmor/.null rw,
  deny unix (receive) type=stream,

  include if exists <local/kmod>
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@ -48,7 +48,5 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
  /dev/**/ r,
  /dev/mapper/control rw,

-  deny /apparmor/.null rw,
-
  include if exists <local/lvm>
 }