From 7e8f854b16cce76fc304de962cda26d37cbfdc65 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 3 Mar 2024 11:51:39 +0000
Subject: [PATCH] feat(abs): deny apparmor/.null in the base abstraction.

---
 apparmor.d/abstractions/base.d/complete         | 2 ++
 apparmor.d/groups/children/child-systemctl      | 2 --
 apparmor.d/groups/pacman/mkinitcpio             | 1 -
 apparmor.d/groups/pacman/pacdiff                | 3 ---
 apparmor.d/groups/pacman/pacman-conf            | 1 -
 apparmor.d/groups/pacman/pacman-hook-dkms       | 1 -
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 1 -
 apparmor.d/groups/systemd/journalctl            | 1 -
 apparmor.d/groups/systemd/systemd-binfmt        | 2 --
 apparmor.d/groups/systemd/systemd-detect-virt   | 3 ---
 apparmor.d/groups/systemd/systemd-hwdb          | 2 --
 apparmor.d/groups/systemd/systemd-sysctl        | 3 ---
 apparmor.d/groups/systemd/systemd-sysusers      | 1 -
 apparmor.d/groups/systemd/systemd-tmpfiles      | 2 --
 apparmor.d/groups/systemd/systemd-udevd         | 2 --
 apparmor.d/profiles-a-f/apparmor_parser         | 2 --
 apparmor.d/profiles-a-f/dkms                    | 5 -----
 apparmor.d/profiles-a-f/findmnt                 | 1 -
 apparmor.d/profiles-a-f/firecfg                 | 2 --
 apparmor.d/profiles-g-l/gio-querymodules        | 1 -
 apparmor.d/profiles-g-l/gtk-update-icon-cache   | 2 --
 apparmor.d/profiles-g-l/kmod                    | 1 -
 apparmor.d/profiles-g-l/lvm                     | 2 --
 23 files changed, 2 insertions(+), 41 deletions(-)

diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete
index 8936c805..b7622832 100644
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@@ -24,3 +24,5 @@
   /etc/locale.conf r,
 
   @{sys}/devices/system/cpu/possible r,
+
+  deny /apparmor/.null rw,
diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl
index 88207cd1..2625d9aa 100644
--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@@ -46,7 +46,5 @@ profile child-systemctl flags=(attach_disconnected) {
 
   @{run}/systemd/private rw,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/child-systemctl>
 }
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index cbca3931..21deeb7a 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -116,7 +116,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Inherit silencer
   deny @{HOME}/** r,
-  deny /apparmor/.null rw,
   deny network inet stream,
   deny network inet6 stream,
 
diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff
index 3fc9fe6b..87c6c684 100644
--- a/apparmor.d/groups/pacman/pacdiff
+++ b/apparmor.d/groups/pacman/pacdiff
@@ -44,8 +44,5 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
   /dev/tty rw,
   /dev/pts/@{int} rw,
 
-  # Inherit Silencer
-  deny /apparmor/.null rw,
-
   include if exists <local/pacdiff>
 }
diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf
index efe2ea2a..eca4a1c2 100644
--- a/apparmor.d/groups/pacman/pacman-conf
+++ b/apparmor.d/groups/pacman/pacman-conf
@@ -22,7 +22,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,
-  deny /apparmor/.null rw,
 
   include if exists <local/pacman-conf>
 }
diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms
index 8f0f7c25..89387fd8 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@@ -29,7 +29,6 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) {
   /dev/tty rw,
 
   # Inherit Silencer
-  deny /apparmor/.null rw,
   deny network inet stream,
   deny network inet6 stream,
   deny unix (receive) type=stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
index f525c78e..cc244ca5 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@@ -46,7 +46,6 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   # # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,
-  # deny /apparmor/.null rw,
 
   include if exists <local/pacman-hook-mkinitcpio>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl
index b7a7d205..bac2a1c1 100644
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@@ -51,7 +51,6 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
-  deny /apparmor/.null rw,
   deny network inet stream,
   deny network inet6 stream,
 
diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt
index 40608d0f..14d617b8 100644
--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@@ -28,7 +28,5 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
   /dev/tty@{int} rw,
   /dev/pts/@{int} rw,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-binfmt>
 }
diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt
index 75cf8ba4..1467a177 100644
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@@ -30,8 +30,5 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/firmware/dmi/entries/*/raw r,
 
-  # Inherit silencer
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-detect-virt>
 }
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index 59474743..af934de3 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -25,7 +25,5 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{PROC}/@{pid}/stat r,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-hwdb>
 }
diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl
index 388caafc..c00c10cb 100644
--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@@ -29,8 +29,5 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
 
   @{PROC}/sys/** rw,
 
-  # Inherit Silencer
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-sysctl>
 }
diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers
index 1f4a9e31..ba89c424 100644
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@@ -47,7 +47,6 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,
-  deny /apparmor/.null rw,
 
   include if exists <local/systemd-sysusers>
 }
diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles
index 13cf2c0f..0302e832 100644
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@@ -57,7 +57,5 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   @{PROC}/1/cmdline r,
   @{PROC}/sched_debug w,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-tmpfiles>
 }
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index eedca52f..cbc011e1 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -129,8 +129,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   /dev/ rw,
   /dev/** rwk,
 
-  deny /apparmor/.null rw,
-
   profile systemctl flags=(attach_disconnected,complain) {
     include <abstractions/base>
     include <abstractions/systemd-common>
diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser
index a099e94a..a38d04e7 100644
--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@@ -44,7 +44,5 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/kernel/osrelease r,
   owner @{PROC}/@{pid}/mounts r,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/apparmor_parser>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index dabca542..9f825c82 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -111,9 +111,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/kernel/osrelease r,
   owner @{PROC}/@{pid}/fd/ r,
 
-  # Inherit silencer
-  deny /apparmor/.null rw,
-
   profile kmod {
     include <abstractions/base>
     include <abstractions/consoles>
@@ -134,8 +131,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
 
     @{sys}/module/compression r,
 
-    deny /apparmor/.null rw,
-
     include if exists <local/dkms_kmod>
   }
 
diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt
index 5151e5a0..663e4025 100644
--- a/apparmor.d/profiles-a-f/findmnt
+++ b/apparmor.d/profiles-a-f/findmnt
@@ -23,7 +23,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
   @{PROC}/@{pids}/mountinfo r,
 
   # File Inherit
-  deny /apparmor/.null rw,
   deny unix (receive) type=stream,
 
   include if exists <local/findmnt>
diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg
index 10223005..deacc3e7 100644
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@@ -37,7 +37,5 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
 
   /dev/tty rw,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/firecfg>
 }
diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules
index 4be0e9f6..0cd342e9 100644
--- a/apparmor.d/profiles-g-l/gio-querymodules
+++ b/apparmor.d/profiles-g-l/gio-querymodules
@@ -19,7 +19,6 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
   @{lib}/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
   @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} w,
 
-  deny /apparmor/.null rw,
   deny network inet stream,
   deny network inet6 stream,
 
diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache
index 69800a7c..6a1a8dd5 100644
--- a/apparmor.d/profiles-g-l/gtk-update-icon-cache
+++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache
@@ -26,7 +26,5 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/**/.icon-theme.cache rw,
   owner @{user_share_dirs}/**/icon-theme.cache rw,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/gtk-update-icon-cache>
 }
diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod
index 6bf64ed7..d7748fac 100644
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@@ -71,7 +71,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   /dev/tty@{int} rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
-  deny /apparmor/.null rw,
   deny unix (receive) type=stream,
 
   include if exists <local/kmod>
diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm
index 5ec1d859..7256c4b7 100644
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@@ -48,7 +48,5 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
   /dev/**/ r,
   /dev/mapper/control rw,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/lvm>
 }