feat(profile): more use @{etc_ro} when we know it is needed.

2025-02-28 20:54:43 +01:00 · 2025-01-25 22:31:29 +01:00 · 2025-01-25 22:31:29 +01:00 · 8806030a0a
commit 8806030a0a
parent 4e73f7209f
30 changed files with 49 additions and 45 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -181,12 +181,12 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  /var/lib/*/ r,
  /var/tmp/ r,

+  @{etc_ro}/environment r,
+  @{etc_ro}/environment.d/{,**} r,
  /etc/binfmt.d/{,**} r,
  /etc/conf.d/{,**} r,
  /etc/credstore.encrypted/{,**} r,
  /etc/credstore/{,**} r,
-  /etc/environment r,
-  /etc/environment.d/{,**} r,
  /etc/machine-id r,
  /etc/modules-load.d/{,**} r,
  /etc/systemd/{,**} r,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -62,6 +62,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  /usr/share/distro-info/* r,

+  @{etc_ro}/security/capability.conf r,
  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/debian_version r,
@ -79,7 +80,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /etc/pki/fwupd-metadata/{,**} r,
  /etc/pki/fwupd/{,**} r,
  /etc/profile.d/* r,
-  /etc/security/capability.conf r,
  /etc/update-manager/{,**} r,
  /etc/update-motd.d/* r,
  /etc/vmware-tools/* r,
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -28,10 +28,10 @@ profile crontab @{exec_path} {
  @{sh_path}             rix,
  @{editor_path}         rCx -> editor,

+  @{etc_ro}/environment r,
+  @{etc_ro}/security/*.conf r,
  /etc/cron.{allow,deny} r,
-  /etc/environment r,
  /etc/pam.d/* r,
-  /etc/security/*.conf r,

  /var/spool/cron/ r,
  /var/spool/cron/** rw,
--- a/apparmor.d/groups/display-manager/lightdm
+++ b/apparmor.d/groups/display-manager/lightdm
@ -56,11 +56,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xgreeters/{,**} r,

+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*} r,
  /etc/default/locale r,
-  /etc/environment r,
  /etc/lightdm/{,**} r,
  /etc/machine-id r,
-  /etc/security/limits.d/{,*} r,
  /etc/shells r,

  /var/cache/lightdm/dmrc/*.dmrc* rw,
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -46,8 +46,8 @@ profile gnome-initial-setup @{exec_path} {
  /usr/share/gnome-initial-setup/{,**} r,
  /usr/share/xml/iso-codes/{,**} r,

-  /etc/security/pwquality.conf r,
-  /etc/security/pwquality.conf.d/{,**} r,
+  @{etc_ro}/security/pwquality.conf r,
+  @{etc_ro}/security/pwquality.conf.d/{,**} r,
  /etc/timezone r,

  /etc/gdm{,3}/custom.conf r,
--- a/apparmor.d/groups/hyprland/hyprlock
+++ b/apparmor.d/groups/hyprland/hyprlock
@ -19,7 +19,7 @@ profile hyprlock @{exec_path} {

  @{exec_path} mr,

-  /etc/security/faillock.conf r,
+  @{etc_ro}/security/faillock.conf r,
  /etc/shells r,

  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@ -51,12 +51,13 @@ profile kscreenlocker_greet @{exec_path} {
  /usr/share/xsessions/{,*.desktop} r,
  /usr/share/hunspell/* r,

-  /{usr/,}etc/environment r,
-  /{usr/,}etc/login.defs r,
-  /{usr/,}etc/login.defs.d/ r,
-  /{usr/,}etc/security/*.conf r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/ r,
+  @{etc_ro}/security/*.conf r,
  /etc/fstab r,
  /etc/machine-id r,
+  /etc/os-release r,
  /etc/pam.d/* r,
  /etc/shells r,
  /etc/xdg/kscreenlockerrc r,
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -128,9 +128,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  /etc/X11/xinit/xinitrc.d/{,*} r,

-  /{usr/,}etc/environment r,
-  /{usr/,}etc/security/limits.d/{,*.conf} r,
-  /{usr/,}etc/X11/Xmodmap r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
+  @{etc_ro}/X11/Xmodmap r,
  /etc/debuginfod/{,*} r,
  /etc/manpath.config r,
  /etc/default/locale r,
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@ -33,8 +33,8 @@ profile apport @{exec_path} flags=(attach_disconnected) {

  /usr/share/apport/{,**} r,

+  @{etc_ro}/login.defs r,
  /etc/apport/report-ignore/{,**} r,
-  /etc/login.defs r,

  /var/lib/dpkg/info/ r,
  /var/lib/dpkg/info/*.list r,
--- a/apparmor.d/groups/ubuntu/apport-checkreports
+++ b/apparmor.d/groups/ubuntu/apport-checkreports
@ -20,9 +20,9 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected)  {
  /usr/share/dpkg/tupletable r,
  /usr/share/apport/ r,

+  @{etc_ro}/login.defs r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/default/apport r,
-  /etc/login.defs r,

  /var/crash/ r,

--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -67,9 +67,9 @@ profile cockpit-bridge @{exec_path} {
  /usr/share/file/** r,
  /usr/share/iproute2/* r,

+  @{etc_ro}/login.defs r,
  /etc/cockpit/{,**} r,
  /etc/httpd/conf/mime.types r,
-  /etc/login.defs r,
  /etc/machine-id r,
  /etc/mime.types r,
  /etc/motd r,
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@ -24,15 +24,14 @@ profile agetty @{exec_path} {

  @{bin}/login rPx,

+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/{,*} r,
  @{etc_rw}/issue r,
  /{,usr/}lib/os-release r,
  /{etc,run,lib,usr/lib}/issue r,
  /{etc,run,lib,usr/lib}/issue.d/{,*} r,
  /etc/inittab r,
-  /etc/login.defs r,
-  /etc/login.defs.d/{,*} r,
  /etc/os-release r,
-  /usr/etc/login.defs r,

        @{run}/credentials/getty@tty@{int}.service/ r,
        @{run}/credentials/serial-getty@ttyS@{int}.service/ r,
--- a/apparmor.d/profiles-a-f/chage
+++ b/apparmor.d/profiles-a-f/chage
@ -20,7 +20,7 @@ profile chage @{exec_path} {

  @{exec_path} mr,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{passwd,shadow} rw,
  /etc/{passwd,shadow}.@{pid} w,
--- a/apparmor.d/profiles-a-f/chpasswd
+++ b/apparmor.d/profiles-a-f/chpasswd
@ -18,8 +18,9 @@ profile chpasswd @{exec_path} {

  @{exec_path} mr,

+  @{etc_ro}/login.defs r,
+
  /etc/.pwd.lock wk,
-  /etc/login.defs r,
  /etc/passwd rw,
  /etc/passwd.@{int} w,
  /etc/passwd.lock l -> /etc/passwd.@{int},
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@ -21,7 +21,8 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
  @{sh_path}         rix,
  @{bin}/apparmor_parser rPx,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,
+
  /etc/firejail/firejail.users r,
  /etc/firejail/firecfg.config r,

--- a/apparmor.d/profiles-g-l/gamemoded
+++ b/apparmor.d/profiles-g-l/gamemoded
@ -57,8 +57,8 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
    @{lib}/gamemode/gpuclockctl ix,
    @{lib}/gamemode/procsysctl ix,

-    /etc/security/limits.d/ r,
-    /etc/security/limits.d/@{int}-gamemode.conf r,
+    @{etc_ro}/security/limits.d/ r,
+    @{etc_ro}/security/limits.d/@{int}-gamemode.conf r,
    /etc/shells r,

    @{sys}/devices/@{pci}/power_dpm_force_performance_level rw,
--- a/apparmor.d/profiles-g-l/gpasswd
+++ b/apparmor.d/profiles-g-l/gpasswd
@ -29,7 +29,7 @@ profile gpasswd @{exec_path} {

  owner @{PROC}/@{pid}/loginuid r,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{group,gshadow} rw,
  /etc/{group,gshadow}.@{pid} w,
--- a/apparmor.d/profiles-g-l/groupadd
+++ b/apparmor.d/profiles-g-l/groupadd
@ -22,7 +22,7 @@ profile groupadd @{exec_path} {
  @{exec_path} mr,
  @{bin}/nscd rix,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{group,gshadow} rw,
  /etc/{group,gshadow}- w,
--- a/apparmor.d/profiles-g-l/groupdel
+++ b/apparmor.d/profiles-g-l/groupdel
@ -25,7 +25,7 @@ profile groupdel @{exec_path} {
  @{exec_path} mr,
  @{bin}/nscd rix,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{group,gshadow} rw,
  /etc/{group,gshadow}.@{pid} w,
--- a/apparmor.d/profiles-g-l/groupmod
+++ b/apparmor.d/profiles-g-l/groupmod
@ -24,7 +24,7 @@ profile groupmod @{exec_path} {

  @{exec_path} mr,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{passwd,gshadow,group} rw,
  /etc/{passwd,gshadow,group}.@{pid} w,
--- a/apparmor.d/profiles-g-l/grpck
+++ b/apparmor.d/profiles-g-l/grpck
@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{gshadow,group} rw,
  /etc/{gshadow,group}.@{pid} rw,
--- a/apparmor.d/profiles-g-l/lastlog
+++ b/apparmor.d/profiles-g-l/lastlog
@ -17,8 +17,9 @@ profile lastlog @{exec_path} {

  @{exec_path} mr,

+  @{etc_ro}/login.defs r,
+
  /var/log/lastlog r,
-  /etc/login.defs r,

  include if exists <local/lastlog>
 }
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@ -43,15 +43,15 @@ profile login @{exec_path} flags=(attach_disconnected) {
  @{bin}/@{shells}     rUx,

  @{etc_ro}/environment r,
+  @{etc_ro}/security/group.conf r,
+  @{etc_ro}/security/limits.conf r,
  @{etc_ro}/security/limits.d/{,*} r,
+  @{etc_ro}/security/pam_env.conf r,
  /etc/default/locale r,
  /etc/legal r,
  /etc/machine-id r,
  /etc/motd r,
  /etc/motd.d/ r,
-  /etc/security/group.conf r,
-  /etc/security/limits.conf r,
-  /etc/security/pam_env.conf r,
  /etc/shells r,

  /var/lib/faillock/@{user} rwk,
--- a/apparmor.d/profiles-m-r/newgrp
+++ b/apparmor.d/profiles-m-r/newgrp
@ -23,9 +23,9 @@ profile newgrp @{exec_path} {

  @{bin}/@{shells}     rUx,

-  /etc/{passwd,group,shadow,gshadow} r,
+  @{etc_ro}/login.defs r,

-  /etc/login.defs r,
+  /etc/{passwd,group,shadow,gshadow} r,

  owner @{PROC}/@{pid}/loginuid r,

--- a/apparmor.d/profiles-m-r/pwck
+++ b/apparmor.d/profiles-m-r/pwck
@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) {

  @{bin}/nscd rix,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,
+
  /etc/.pwd.lock wk,
  /etc/passwd rw,
  /etc/passwd.@{int} rw,
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -98,9 +98,9 @@ profile snapd @{exec_path} {
  /usr/share/dbus-1/services/*snap* r,
  /usr/share/polkit-1/actions/{,**/} r,

+  @{etc_ro}/environment r,
  /etc/apparmor.d/*snapd.snap* r,
  /etc/dbus-1/system.d/{,**/} r,
-  /etc/environment r,
  /etc/fstab r,
  /etc/mime.types r,
  /etc/modprobe.d/{,**/} r,
--- a/apparmor.d/profiles-s-z/useradd
+++ b/apparmor.d/profiles-s-z/useradd
@ -30,7 +30,7 @@ profile useradd @{exec_path} {
  @{bin}/pam_tally2 rCx -> pam_tally2,

  /etc/default/useradd r,
-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
  /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
--- a/apparmor.d/profiles-s-z/userdel
+++ b/apparmor.d/profiles-s-z/userdel
@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
  /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
--- a/apparmor.d/profiles-s-z/usermod
+++ b/apparmor.d/profiles-s-z/usermod
@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) {

  @{bin}/nscd rix,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,
  /etc/subuid r,

  /etc/{passwd,shadow,gshadow,group} rw,
--- a/apparmor.d/profiles-s-z/vipw-vigr
+++ b/apparmor.d/profiles-s-z/vipw-vigr
@ -18,7 +18,7 @@ profile vipw-vigr @{exec_path} {
  @{sh_path}             rix,
  @{editor_path}         rCx -> editor,

-  /etc/login.defs r,
+  @{etc_ro}/login.defs r,

  /etc/{passwd,shadow,gshadow,group}{,.edit} rw,
  /etc/{passwd,shadow,gshadow,group}.@{pid} rw,