diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9f611cf3..d7164770 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -181,12 +181,12 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /var/lib/*/ r, /var/tmp/ r, + @{etc_ro}/environment r, + @{etc_ro}/environment.d/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/credstore.encrypted/{,**} r, /etc/credstore/{,**} r, - /etc/environment r, - /etc/environment.d/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/systemd/{,**} r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d0fdad4b..ead68957 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -62,6 +62,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /usr/share/distro-info/* r, + @{etc_ro}/security/capability.conf r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, @@ -79,7 +80,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, - /etc/security/capability.conf r, /etc/update-manager/{,**} r, /etc/update-motd.d/* r, /etc/vmware-tools/* r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index ccc948b0..d240454f 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -28,10 +28,10 @@ profile crontab @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, + @{etc_ro}/environment r, + @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, - /etc/environment r, /etc/pam.d/* r, - /etc/security/*.conf r, /var/spool/cron/ r, /var/spool/cron/** rw, diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index 04accbbf..112daf09 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -56,11 +56,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/environment r, /etc/lightdm/{,**} r, /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index d27ccb8b..84f6b15c 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -46,8 +46,8 @@ profile gnome-initial-setup @{exec_path} { /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/security/pwquality.conf r, - /etc/security/pwquality.conf.d/{,**} r, + @{etc_ro}/security/pwquality.conf r, + @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/timezone r, /etc/gdm{,3}/custom.conf r, diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index b17c0c66..996d9f17 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -19,7 +19,7 @@ profile hyprlock @{exec_path} { @{exec_path} mr, - /etc/security/faillock.conf r, + @{etc_ro}/security/faillock.conf r, /etc/shells r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 79e2b4c5..a13270c9 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -51,12 +51,13 @@ profile kscreenlocker_greet @{exec_path} { /usr/share/xsessions/{,*.desktop} r, /usr/share/hunspell/* r, - /{usr/,}etc/environment r, - /{usr/,}etc/login.defs r, - /{usr/,}etc/login.defs.d/ r, - /{usr/,}etc/security/*.conf r, + @{etc_ro}/environment r, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/ r, + @{etc_ro}/security/*.conf r, /etc/fstab r, /etc/machine-id r, + /etc/os-release r, /etc/pam.d/* r, /etc/shells r, /etc/xdg/kscreenlockerrc r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 8e491bb2..56f0f582 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -128,9 +128,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - /{usr/,}etc/environment r, - /{usr/,}etc/security/limits.d/{,*.conf} r, - /{usr/,}etc/X11/Xmodmap r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*.conf} r, + @{etc_ro}/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 11aad0da..7c683ae2 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -33,8 +33,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { /usr/share/apport/{,**} r, + @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, - /etc/login.defs r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 665b3eac..6e1bb05f 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -20,9 +20,9 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { /usr/share/dpkg/tupletable r, /usr/share/apport/ r, + @{etc_ro}/login.defs r, /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, - /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 94b18516..6ca66285 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -67,9 +67,9 @@ profile cockpit-bridge @{exec_path} { /usr/share/file/** r, /usr/share/iproute2/* r, + @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, - /etc/login.defs r, /etc/machine-id r, /etc/mime.types r, /etc/motd r, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 9e6db414..4605822e 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -24,15 +24,14 @@ profile agetty @{exec_path} { @{bin}/login rPx, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, - /etc/login.defs r, - /etc/login.defs.d/{,*} r, /etc/os-release r, - /usr/etc/login.defs r, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/profiles-a-f/chage index a89e204a..43f34a70 100644 --- a/apparmor.d/profiles-a-f/chage +++ b/apparmor.d/profiles-a-f/chage @@ -20,7 +20,7 @@ profile chage @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow} rw, /etc/{passwd,shadow}.@{pid} w, diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/profiles-a-f/chpasswd index fb8438cc..869ba20a 100644 --- a/apparmor.d/profiles-a-f/chpasswd +++ b/apparmor.d/profiles-a-f/chpasswd @@ -18,8 +18,9 @@ profile chpasswd @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, - /etc/login.defs r, /etc/passwd rw, /etc/passwd.@{int} w, /etc/passwd.lock l -> /etc/passwd.@{int}, diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index a3aba8af..02201e78 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -21,7 +21,8 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/apparmor_parser rPx, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index 8f5067b7..eb2d3fc1 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -57,8 +57,8 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/procsysctl ix, - /etc/security/limits.d/ r, - /etc/security/limits.d/@{int}-gamemode.conf r, + @{etc_ro}/security/limits.d/ r, + @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, /etc/shells r, @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/profiles-g-l/gpasswd index 8afdff8d..ab2d2186 100644 --- a/apparmor.d/profiles-g-l/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -29,7 +29,7 @@ profile gpasswd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd index 9450974a..65e73560 100644 --- a/apparmor.d/profiles-g-l/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -22,7 +22,7 @@ profile groupadd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}- w, diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/profiles-g-l/groupdel index 99b7fdda..734b2246 100644 --- a/apparmor.d/profiles-g-l/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -25,7 +25,7 @@ profile groupdel @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/profiles-g-l/groupmod index 4b9b0446..01841483 100644 --- a/apparmor.d/profiles-g-l/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -24,7 +24,7 @@ profile groupmod @{exec_path} { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck index 5fad8960..3b820feb 100644 --- a/apparmor.d/profiles-g-l/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{gshadow,group} rw, /etc/{gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog index 392aba36..0cb62819 100644 --- a/apparmor.d/profiles-g-l/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -17,8 +17,9 @@ profile lastlog @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + /var/log/lastlog r, - /etc/login.defs r, include if exists } diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 9b32614a..a4d1b8cd 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -43,15 +43,15 @@ profile login @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{etc_ro}/environment r, + @{etc_ro}/security/group.conf r, + @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, + @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, - /etc/security/group.conf r, - /etc/security/limits.conf r, - /etc/security/pam_env.conf r, /etc/shells r, /var/lib/faillock/@{user} rwk, diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index ebd15d4b..1452f34f 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -23,9 +23,9 @@ profile newgrp @{exec_path} { @{bin}/@{shells} rUx, - /etc/{passwd,group,shadow,gshadow} r, + @{etc_ro}/login.defs r, - /etc/login.defs r, + /etc/{passwd,group,shadow,gshadow} r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck index 0c9e1ac0..6aef4d02 100644 --- a/apparmor.d/profiles-m-r/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, + /etc/.pwd.lock wk, /etc/passwd rw, /etc/passwd.@{int} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 4e383b77..2788ed4a 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -98,9 +98,9 @@ profile snapd @{exec_path} { /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, + @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, - /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index d27a3420..021ede78 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -30,7 +30,7 @@ profile useradd @{exec_path} { @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel index 05df6487..afaa52a0 100644 --- a/apparmor.d/profiles-s-z/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod index c0f8f0e4..1e5c6e4e 100644 --- a/apparmor.d/profiles-s-z/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 50ada1d6..396f1e4f 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -18,7 +18,7 @@ profile vipw-vigr @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, - /etc/login.defs r, + @{etc_ro}/login.defs r, /etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw,