From 8979d84633cd189cbfee2ecf2ea4c0102b49b521 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Sep 2024 23:30:09 +0100 Subject: [PATCH] feat(profile): remove rules already included in the base abs. --- apparmor.d/groups/apt/apt-overlay | 1 - apparmor.d/groups/cron/cron-apt | 3 --- apparmor.d/groups/freedesktop/colord | 1 - apparmor.d/groups/freedesktop/geoclue | 2 -- apparmor.d/groups/gnome/evolution-alarm-notify | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 - apparmor.d/groups/grub/grub-multi-install | 1 - apparmor.d/groups/kde/konsole | 1 - apparmor.d/groups/kde/startplasma | 3 +-- apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/pacman/aurpublish | 2 -- apparmor.d/groups/systemd/systemd-logind | 1 - apparmor.d/groups/systemd/systemd-oomd | 7 +++---- apparmor.d/groups/systemd/systemd-resolved | 7 +++---- apparmor.d/groups/systemd/systemd-sleep-grub2 | 2 -- apparmor.d/groups/systemd/systemd-timesyncd | 1 - apparmor.d/groups/virt/k3s | 1 - apparmor.d/profiles-a-f/auditd | 1 - apparmor.d/profiles-a-f/boltd | 1 - apparmor.d/profiles-a-f/cups-browsed | 1 - apparmor.d/profiles-s-z/spice-vdagentd | 1 - 23 files changed, 8 insertions(+), 35 deletions(-) diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index fb567a5e..158e7c57 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -22,7 +22,6 @@ profile apt-overlay @{exec_path} { owner @{bin}/env r, @{lib}/ruby/{,**} r, - @{lib}/locale/locale-archive r, @{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk, /usr/share/rubygems-integration/{,**} r, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 51057f47..41c27ecc 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -70,9 +70,6 @@ profile cron-apt @{exec_path} { /var/log/cron-apt/mail rw, /var/log/cron-apt/lastfullmessage rw, - # For the "ls" command - @{lib}/locale/locale-archive r, - # TMP /tmp/ r, owner @{tmp}/cron-apt.*/ rw, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 418864a6..8ed35020 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -52,7 +52,6 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{desktop_share_dirs}/icc/edid-*.icc r, @{user_share_dirs}/icc/edid-*.icc r, - @{run}/systemd/journal/socket rw, @{run}/systemd/sessions/* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index e5d86092..7e2a282a 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -41,8 +41,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { /var/lib/nscd/services r, /var/lib/dbus/machine-id r, - @{run}/systemd/journal/socket rw, - @{PROC}/@{pids}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index a4c2c4a9..abae74d4 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -34,7 +34,6 @@ profile evolution-alarm-notify @{exec_path} { @{exec_path} mr, /usr/share/evolution-data-server/{,**} r, - /usr/share/{,zoneinfo-}icu/{,**} r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 53545419..aea86106 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -165,7 +165,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 87cc77d0..3ee2665e 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -194,7 +194,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /opt/**/share/icons/{,**} r, /snap/*/@{uid}/**.png r, - /usr/share/{,zoneinfo-}icu/{,**} r, /usr/share/**.{png,jpg,svg} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index cc56eff5..371ed3e0 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -36,7 +36,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, - /usr/share/{,zoneinfo-}icu/{,**} r, /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 9cc94f9c..9360173a 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -31,7 +31,6 @@ profile grub-multi-install @{exec_path} { /boot/grub/grub.cfg rw, - owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mounts r, /dev/disk/by-id/ r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 94bad21b..164510ae 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -35,7 +35,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/htop rPx, @{bin}/micro rPUx, @{bin}/nvtop rPx, - @{bin}/nvtop rPx, @{bin}/vim rUx, /usr/share/color-schemes/{,**} r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index e57639b6..c0cd5690 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -73,8 +73,7 @@ profile startplasma @{exec_path} { owner @{run}/user/@{uid}/ r, - @{PROC}/sys/kernel/random/boot_id r, - owner @{PROC}/@{pid}/maps r, + @{PROC}/sys/kernel/random/boot_id r, /dev/tty r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 6bf8c168..e9431584 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -59,7 +59,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/nm-openvpn-@{uuid} rw, @{run}/openvpn/*.{pid,status} rw, - @{run}/systemd/journal/dev-log rw, + @{run}/systemd/journal/dev-log r, @{bin}/ip rix, @{bin}/systemd-ask-password rPx, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index 3f46e2fa..cae1d7dc 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -57,8 +57,6 @@ profile aurpublish @{exec_path} { owner @{tmp}/tmp.@{rand10} rw, - owner @{PROC}/@{pid}/maps r, - /dev/tty rw, profile gpg { diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 8db1923e..d1fa06e7 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -97,7 +97,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/@{int}{,.ref} rw, - @{run}/systemd/journal/socket rw, @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 9ebe87c4..21ef7949 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -24,10 +24,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, - @{run}/systemd/io.system.ManagedOOM rw, - @{run}/systemd/io.systemd.ManagedOOM rw, - @{run}/systemd/notify rw, - owner @{run}/systemd/journal/socket w, + @{run}/systemd/io.system.ManagedOOM rw, + @{run}/systemd/io.systemd.ManagedOOM rw, + @{run}/systemd/notify rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 7b2e7ffa..34597caa 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -41,10 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, - @{run}/systemd/netif/links/* r, - @{run}/systemd/notify rw, - @{run}/systemd/resolve/{,**} rw, - owner @{run}/systemd/journal/socket w, + @{run}/systemd/netif/links/* r, + @{run}/systemd/notify rw, + @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub2 index e7ae0935..9c718f7b 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub2 +++ b/apparmor.d/groups/systemd/systemd-sleep-grub2 @@ -19,8 +19,6 @@ profile systemd-sleep-grub @{exec_path} { /etc/sysconfig/bootloader r, - @{PROC}/@{pid}/maps r, - /dev/tty rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 51fd6358..4f0903d1 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -38,7 +38,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify rw, @{run}/systemd/timesyncd.conf.d/{,**} r, - owner @{run}/systemd/journal/socket w, owner @{run}/systemd/timesync/synchronized rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index e1cded61..c2183c33 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -130,7 +130,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, @{PROC}/sys/net/netfilter/* rw, - @{PROC}/sys/vm/overcommit_memory rw, @{PROC}/sys/vm/panic_on_oom r, @{sys}/class/net/ r, diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 935a84c6..8c187860 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -27,7 +27,6 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, - @{run}/systemd/journal/dev-log w, owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index 47c16d1c..e5464290 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -26,7 +26,6 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, @{run}/systemd/notify rw, - @{run}/systemd/journal/socket w, @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed index 2abffbe1..6b01087b 100644 --- a/apparmor.d/profiles-a-f/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -39,7 +39,6 @@ profile cups-browsed @{exec_path} { @{exec_path} mr, /usr/share/cups/locale/{,**} r, - /usr/share/locale/{,**} r, /etc/cups/{,**} r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index e9a8b633..70eca91f 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -16,7 +16,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/systemd/journal/dev-log w, @{run}/systemd/seats/seat@{int} r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r,