mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-03-01 05:04:43 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): more use @{etc_ro} when we know it is needed.

Browse source
This commit is contained in:
Alexandre Pujol 2025-01-25 22:31:29 +01:00
parent 4e73f7209f
commit 8806030a0a
Failed to generate hash of commit
30 changed files with 49 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/_full/systemd
View file

@ -181,12 +181,12 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
/var/lib/*/ r, /var/lib/*/ r,
/var/tmp/ r, /var/tmp/ r,
@{etc_ro}/environment r,
@{etc_ro}/environment.d/{,**} r,
/etc/binfmt.d/{,**} r, /etc/binfmt.d/{,**} r,
/etc/conf.d/{,**} r, /etc/conf.d/{,**} r,
/etc/credstore.encrypted/{,**} r, /etc/credstore.encrypted/{,**} r,
/etc/credstore/{,**} r, /etc/credstore/{,**} r,
/etc/environment r,
/etc/environment.d/{,**} r,
/etc/machine-id r, /etc/machine-id r,
/etc/modules-load.d/{,**} r, /etc/modules-load.d/{,**} r,
/etc/systemd/{,**} r, /etc/systemd/{,**} r,

2
apparmor.d/groups/apt/unattended-upgrade
View file

@ -62,6 +62,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/usr/share/distro-info/* r, /usr/share/distro-info/* r,
@{etc_ro}/security/capability.conf r,
/etc/apt/*.list r, /etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r, /etc/apt/apt.conf.d/{,**} r,
/etc/debian_version r, /etc/debian_version r,
@ -79,7 +80,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd-metadata/{,**} r,
/etc/pki/fwupd/{,**} r, /etc/pki/fwupd/{,**} r,
/etc/profile.d/* r, /etc/profile.d/* r,
/etc/security/capability.conf r,
/etc/update-manager/{,**} r, /etc/update-manager/{,**} r,
/etc/update-motd.d/* r, /etc/update-motd.d/* r,
/etc/vmware-tools/* r, /etc/vmware-tools/* r,

4
apparmor.d/groups/cron/crontab
View file

@ -28,10 +28,10 @@ profile crontab @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{editor_path} rCx -> editor, @{editor_path} rCx -> editor,
@{etc_ro}/environment r,
@{etc_ro}/security/*.conf r,
/etc/cron.{allow,deny} r, /etc/cron.{allow,deny} r,
/etc/environment r,
/etc/pam.d/* r, /etc/pam.d/* r,
/etc/security/*.conf r,
/var/spool/cron/ r, /var/spool/cron/ r,
/var/spool/cron/** rw, /var/spool/cron/** rw,

4
apparmor.d/groups/display-manager/lightdm
View file

@ -56,11 +56,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
/usr/share/wayland-sessions/{,*.desktop} r, /usr/share/wayland-sessions/{,*.desktop} r,
/usr/share/xgreeters/{,**} r, /usr/share/xgreeters/{,**} r,
@{etc_ro}/environment r,
@{etc_ro}/security/limits.d/{,*} r,
/etc/default/locale r, /etc/default/locale r,
/etc/environment r,
/etc/lightdm/{,**} r, /etc/lightdm/{,**} r,
/etc/machine-id r, /etc/machine-id r,
/etc/security/limits.d/{,*} r,
/etc/shells r, /etc/shells r,
/var/cache/lightdm/dmrc/*.dmrc* rw, /var/cache/lightdm/dmrc/*.dmrc* rw,

4
apparmor.d/groups/gnome/gnome-initial-setup
View file

@ -46,8 +46,8 @@ profile gnome-initial-setup @{exec_path} {
/usr/share/gnome-initial-setup/{,**} r, /usr/share/gnome-initial-setup/{,**} r,
/usr/share/xml/iso-codes/{,**} r, /usr/share/xml/iso-codes/{,**} r,
/etc/security/pwquality.conf r, @{etc_ro}/security/pwquality.conf r,
/etc/security/pwquality.conf.d/{,**} r, @{etc_ro}/security/pwquality.conf.d/{,**} r,
/etc/timezone r, /etc/timezone r,
/etc/gdm{,3}/custom.conf r, /etc/gdm{,3}/custom.conf r,

2
apparmor.d/groups/hyprland/hyprlock
View file

@ -19,7 +19,7 @@ profile hyprlock @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/security/faillock.conf r, @{etc_ro}/security/faillock.conf r,
/etc/shells r, /etc/shells r,
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,

9
apparmor.d/groups/kde/kscreenlocker_greet
View file

@ -51,12 +51,13 @@ profile kscreenlocker_greet @{exec_path} {
/usr/share/xsessions/{,*.desktop} r, /usr/share/xsessions/{,*.desktop} r,
/usr/share/hunspell/* r, /usr/share/hunspell/* r,
/{usr/,}etc/environment r, @{etc_ro}/environment r,
/{usr/,}etc/login.defs r, @{etc_ro}/login.defs r,
/{usr/,}etc/login.defs.d/ r, @{etc_ro}/login.defs.d/ r,
/{usr/,}etc/security/*.conf r, @{etc_ro}/security/*.conf r,
/etc/fstab r, /etc/fstab r,
/etc/machine-id r, /etc/machine-id r,
/etc/os-release r,
/etc/pam.d/* r, /etc/pam.d/* r,
/etc/shells r, /etc/shells r,
/etc/xdg/kscreenlockerrc r, /etc/xdg/kscreenlockerrc r,

6
apparmor.d/groups/kde/sddm
View file

@ -128,9 +128,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
/etc/X11/xinit/xinitrc.d/{,*} r, /etc/X11/xinit/xinitrc.d/{,*} r,
/{usr/,}etc/environment r, @{etc_ro}/environment r,
/{usr/,}etc/security/limits.d/{,*.conf} r, @{etc_ro}/security/limits.d/{,*.conf} r,
/{usr/,}etc/X11/Xmodmap r, @{etc_ro}/X11/Xmodmap r,
/etc/debuginfod/{,*} r, /etc/debuginfod/{,*} r,
/etc/manpath.config r, /etc/manpath.config r,
/etc/default/locale r, /etc/default/locale r,

2
apparmor.d/groups/ubuntu/apport
View file

@ -33,8 +33,8 @@ profile apport @{exec_path} flags=(attach_disconnected) {
/usr/share/apport/{,**} r, /usr/share/apport/{,**} r,
@{etc_ro}/login.defs r,
/etc/apport/report-ignore/{,**} r, /etc/apport/report-ignore/{,**} r,
/etc/login.defs r,
/var/lib/dpkg/info/ r, /var/lib/dpkg/info/ r,
/var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.list r,

2
apparmor.d/groups/ubuntu/apport-checkreports
View file

@ -20,9 +20,9 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) {
/usr/share/dpkg/tupletable r, /usr/share/dpkg/tupletable r,
/usr/share/apport/ r, /usr/share/apport/ r,
@{etc_ro}/login.defs r,
/etc/apt/apt.conf.d/{,**} r, /etc/apt/apt.conf.d/{,**} r,
/etc/default/apport r, /etc/default/apport r,
/etc/login.defs r,
/var/crash/ r, /var/crash/ r,

2
apparmor.d/groups/virt/cockpit-bridge
View file

@ -67,9 +67,9 @@ profile cockpit-bridge @{exec_path} {
/usr/share/file/** r, /usr/share/file/** r,
/usr/share/iproute2/* r, /usr/share/iproute2/* r,
@{etc_ro}/login.defs r,
/etc/cockpit/{,**} r, /etc/cockpit/{,**} r,
/etc/httpd/conf/mime.types r, /etc/httpd/conf/mime.types r,
/etc/login.defs r,
/etc/machine-id r, /etc/machine-id r,
/etc/mime.types r, /etc/mime.types r,
/etc/motd r, /etc/motd r,

5
apparmor.d/profiles-a-f/agetty
View file

@ -24,15 +24,14 @@ profile agetty @{exec_path} {
@{bin}/login rPx, @{bin}/login rPx,
@{etc_ro}/login.defs r,
@{etc_ro}/login.defs.d/{,*} r,
@{etc_rw}/issue r, @{etc_rw}/issue r,
/{,usr/}lib/os-release r, /{,usr/}lib/os-release r,
/{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue r,
/{etc,run,lib,usr/lib}/issue.d/{,*} r, /{etc,run,lib,usr/lib}/issue.d/{,*} r,
/etc/inittab r, /etc/inittab r,
/etc/login.defs r,
/etc/login.defs.d/{,*} r,
/etc/os-release r, /etc/os-release r,
/usr/etc/login.defs r,
@{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/getty@tty@{int}.service/ r,
@{run}/credentials/serial-getty@ttyS@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r,

2
apparmor.d/profiles-a-f/chage
View file

@ -20,7 +20,7 @@ profile chage @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{passwd,shadow} rw, /etc/{passwd,shadow} rw,
/etc/{passwd,shadow}.@{pid} w, /etc/{passwd,shadow}.@{pid} w,

3
apparmor.d/profiles-a-f/chpasswd
View file

@ -18,8 +18,9 @@ profile chpasswd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{etc_ro}/login.defs r,
/etc/.pwd.lock wk, /etc/.pwd.lock wk,
/etc/login.defs r,
/etc/passwd rw, /etc/passwd rw,
/etc/passwd.@{int} w, /etc/passwd.@{int} w,
/etc/passwd.lock l -> /etc/passwd.@{int}, /etc/passwd.lock l -> /etc/passwd.@{int},

3
apparmor.d/profiles-a-f/firecfg
View file

@ -21,7 +21,8 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix, @{sh_path} rix,
@{bin}/apparmor_parser rPx, @{bin}/apparmor_parser rPx,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/firejail/firejail.users r, /etc/firejail/firejail.users r,
/etc/firejail/firecfg.config r, /etc/firejail/firecfg.config r,

4
apparmor.d/profiles-g-l/gamemoded
View file

@ -57,8 +57,8 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
@{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/gpuclockctl ix,
@{lib}/gamemode/procsysctl ix, @{lib}/gamemode/procsysctl ix,
/etc/security/limits.d/ r, @{etc_ro}/security/limits.d/ r,
/etc/security/limits.d/@{int}-gamemode.conf r, @{etc_ro}/security/limits.d/@{int}-gamemode.conf r,
/etc/shells r, /etc/shells r,
@{sys}/devices/@{pci}/power_dpm_force_performance_level rw, @{sys}/devices/@{pci}/power_dpm_force_performance_level rw,

2
apparmor.d/profiles-g-l/gpasswd
View file

@ -29,7 +29,7 @@ profile gpasswd @{exec_path} {
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{group,gshadow} rw, /etc/{group,gshadow} rw,
/etc/{group,gshadow}.@{pid} w, /etc/{group,gshadow}.@{pid} w,

2
apparmor.d/profiles-g-l/groupadd
View file

@ -22,7 +22,7 @@ profile groupadd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/nscd rix, @{bin}/nscd rix,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{group,gshadow} rw, /etc/{group,gshadow} rw,
/etc/{group,gshadow}- w, /etc/{group,gshadow}- w,

2
apparmor.d/profiles-g-l/groupdel
View file

@ -25,7 +25,7 @@ profile groupdel @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{bin}/nscd rix, @{bin}/nscd rix,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{group,gshadow} rw, /etc/{group,gshadow} rw,
/etc/{group,gshadow}.@{pid} w, /etc/{group,gshadow}.@{pid} w,

2
apparmor.d/profiles-g-l/groupmod
View file

@ -24,7 +24,7 @@ profile groupmod @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group} rw,
/etc/{passwd,gshadow,group}.@{pid} w, /etc/{passwd,gshadow,group}.@{pid} w,

2
apparmor.d/profiles-g-l/grpck
View file

@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{gshadow,group} rw, /etc/{gshadow,group} rw,
/etc/{gshadow,group}.@{pid} rw, /etc/{gshadow,group}.@{pid} rw,

3
apparmor.d/profiles-g-l/lastlog
View file

@ -17,8 +17,9 @@ profile lastlog @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{etc_ro}/login.defs r,
/var/log/lastlog r, /var/log/lastlog r,
/etc/login.defs r,
include if exists <local/lastlog> include if exists <local/lastlog>
} }

6
apparmor.d/profiles-g-l/login
View file

@ -43,15 +43,15 @@ profile login @{exec_path} flags=(attach_disconnected) {
@{bin}/@{shells} rUx, @{bin}/@{shells} rUx,
@{etc_ro}/environment r, @{etc_ro}/environment r,
@{etc_ro}/security/group.conf r,
@{etc_ro}/security/limits.conf r,
@{etc_ro}/security/limits.d/{,*} r, @{etc_ro}/security/limits.d/{,*} r,
@{etc_ro}/security/pam_env.conf r,
/etc/default/locale r, /etc/default/locale r,
/etc/legal r, /etc/legal r,
/etc/machine-id r, /etc/machine-id r,
/etc/motd r, /etc/motd r,
/etc/motd.d/ r, /etc/motd.d/ r,
/etc/security/group.conf r,
/etc/security/limits.conf r,
/etc/security/pam_env.conf r,
/etc/shells r, /etc/shells r,
/var/lib/faillock/@{user} rwk, /var/lib/faillock/@{user} rwk,

4
apparmor.d/profiles-m-r/newgrp
View file

@ -23,9 +23,9 @@ profile newgrp @{exec_path} {
@{bin}/@{shells} rUx, @{bin}/@{shells} rUx,
/etc/{passwd,group,shadow,gshadow} r, @{etc_ro}/login.defs r,
/etc/login.defs r, /etc/{passwd,group,shadow,gshadow} r,
owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/loginuid r,

3
apparmor.d/profiles-m-r/pwck
View file

@ -16,7 +16,8 @@ profile pwck @{exec_path} flags=(attach_disconnected) {
@{bin}/nscd rix, @{bin}/nscd rix,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/.pwd.lock wk, /etc/.pwd.lock wk,
/etc/passwd rw, /etc/passwd rw,
/etc/passwd.@{int} rw, /etc/passwd.@{int} rw,

2
apparmor.d/profiles-s-z/snapd
View file

@ -98,9 +98,9 @@ profile snapd @{exec_path} {
/usr/share/dbus-1/services/*snap* r, /usr/share/dbus-1/services/*snap* r,
/usr/share/polkit-1/actions/{,**/} r, /usr/share/polkit-1/actions/{,**/} r,
@{etc_ro}/environment r,
/etc/apparmor.d/*snapd.snap* r, /etc/apparmor.d/*snapd.snap* r,
/etc/dbus-1/system.d/{,**/} r, /etc/dbus-1/system.d/{,**/} r,
/etc/environment r,
/etc/fstab r, /etc/fstab r,
/etc/mime.types r, /etc/mime.types r,
/etc/modprobe.d/{,**/} r, /etc/modprobe.d/{,**/} r,

2
apparmor.d/profiles-s-z/useradd
View file

@ -30,7 +30,7 @@ profile useradd @{exec_path} {
@{bin}/pam_tally2 rCx -> pam_tally2, @{bin}/pam_tally2 rCx -> pam_tally2,
/etc/default/useradd r, /etc/default/useradd r,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,

2
apparmor.d/profiles-s-z/userdel
View file

@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
/etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,

2
apparmor.d/profiles-s-z/usermod
View file

@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) {
@{bin}/nscd rix, @{bin}/nscd rix,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/subuid r, /etc/subuid r,
/etc/{passwd,shadow,gshadow,group} rw, /etc/{passwd,shadow,gshadow,group} rw,

2
apparmor.d/profiles-s-z/vipw-vigr
View file

@ -18,7 +18,7 @@ profile vipw-vigr @{exec_path} {
@{sh_path} rix, @{sh_path} rix,
@{editor_path} rCx -> editor, @{editor_path} rCx -> editor,
/etc/login.defs r, @{etc_ro}/login.defs r,
/etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}{,.edit} rw,
/etc/{passwd,shadow,gshadow,group}.@{pid} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw,