From 9a46df81b90cb01a6394519c8d32259d2282a92e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Nov 2022 18:05:29 +0000 Subject: [PATCH] feat(profiles): remove rules promoted into the base abstraction. --- apparmor.d/groups/browsers/brave | 1 - apparmor.d/groups/browsers/firefox | 1 - apparmor.d/groups/freedesktop/xwayland | 1 - apparmor.d/groups/gnome/gjs-console | 2 -- apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-control-center-print-renderer | 2 -- apparmor.d/groups/gnome/gnome-extensions-app | 2 -- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/tracker-extract | 2 -- apparmor.d/groups/grub/grub-multi-install | 1 - apparmor.d/groups/network/mullvad-gui | 1 - apparmor.d/groups/ssh/sshd | 1 - apparmor.d/groups/systemd/networkctl | 1 - apparmor.d/groups/systemd/systemd-ask-password | 1 - apparmor.d/groups/ubuntu/list-oem-metapackages | 1 - apparmor.d/groups/virt/k3s | 1 - apparmor.d/groups/virt/libvirtd | 2 -- apparmor.d/groups/virt/virt-aa-helper | 1 - apparmor.d/groups/virt/virtlogd | 1 - apparmor.d/profiles-a-f/apparmor.systemd | 1 - apparmor.d/profiles-a-f/apparmor_parser | 1 - apparmor.d/profiles-g-l/haveged | 1 - apparmor.d/profiles-g-l/losetup | 1 - apparmor.d/profiles-s-z/steam-fossilize | 1 - apparmor.d/profiles-s-z/update-ca-certificates | 3 --- apparmor.d/profiles-s-z/vlc-cache-gen | 2 -- apparmor.d/profiles-s-z/wireplumber | 1 - 28 files changed, 36 deletions(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 7eecfb99..c4e123e1 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -134,7 +134,6 @@ profile brave @{exec_path} { @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r, @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, - @{sys}/devices/system/cpu/online r, @{sys}/devices/virtual/tty/tty[0-9]/active r, /dev/bus/usb/[0-9]*/[0-9]* rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 0621d71d..5b90c85b 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -225,7 +225,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r, @{sys}/devices/pci[0-9]*/**/irq r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/devices/system/cpu/possible r, deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r, deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r, deny @{sys}/devices/system/cpu/present r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 09c07d66..45f0bfd4 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -38,7 +38,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/xwayland-shared-?????? rw, @{sys}/bus/pci/devices/ r, - @{sys}/devices/system/cpu/possible r, @{PROC}/@{pids}/cmdline r, owner @{PROC}/@{pids}/comm r, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 53ce4cec..cc72ed69 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -102,8 +102,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, - @{sys}/devices/system/cpu/possible r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index a0f57025..7a586d8b 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -165,7 +165,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/{name,vendor,product,uevent} r, @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/uevent r, - @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/**/uevent r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r, diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 2221d06f..742c3c00 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -45,8 +45,6 @@ profile gnome-control-center-print-renderer @{exec_path} { owner @{run}/user/@{uid}/gdm/Xauthority r, owner @{run}/user/@{uid}/wayland-[0-9]* rw, - @{sys}/devices/system/cpu/possible r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index 944782d4..50da01ee 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -28,8 +28,6 @@ profile gnome-extensions-app @{exec_path} { /usr/share/gnome-shell/org.gnome.Extensions* r, /usr/share/X11/xkb/{,**} r, - @{sys}/devices/system/cpu/possible r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f14bf5c0..02c9e636 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -625,7 +625,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r, @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r, - @{sys}/devices/system/cpu/possible r, @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r, owner @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 9c063b15..fb772445 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -87,7 +87,6 @@ profile gnome-software @{exec_path} { owner @{run}/user/@{uid}/.flatpak/{,**} rw, owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk, - @{sys}/devices/system/cpu/possible r, @{sys}/module/nvidia/version r, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index ddc650e2..c8b9e090 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -107,8 +107,6 @@ profile tracker-extract @{exec_path} { @{run}/udev/data/c51[0-9]:[0-9]* r, @{run}/mount/utab r, - @{sys}/devices/system/cpu/possible r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 98906271..11185f7b 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -28,7 +28,6 @@ profile grub-multi-install @{exec_path} { /boot/grub/grub.cfg rw, - @{PROC}/filesystems r, owner @{PROC}/@{pid}/maps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 426890f4..6036e041 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -54,7 +54,6 @@ profile mullvad-gui @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/virtual/tty/tty[0-9]*/active r, @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r, - @{sys}/devices/system/cpu/possible r, @{PROC}/ r, @{PROC}/sys/fs/inotify/max_user_watches r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 3af0834f..e788671c 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -105,7 +105,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/filesystems r, @{PROC}/sys/kernel/ngroups_max r, /dev/ptmx rw, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 7fc78f74..db2b6d10 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -53,7 +53,6 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) { @{sys}/devices/**/net/**/uevent r, - @{PROC}/filesystems r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-ask-password b/apparmor.d/groups/systemd/systemd-ask-password index 2031d276..2f4bded5 100644 --- a/apparmor.d/groups/systemd/systemd-ask-password +++ b/apparmor.d/groups/systemd/systemd-ask-password @@ -13,7 +13,6 @@ profile systemd-ask-password @{exec_path} { @{exec_path} mr, - @{PROC}/filesystems r, owner @{PROC}/@{pid}/stat r, include if exists diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 42d9589e..24bd425e 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -26,7 +26,6 @@ profile list-oem-metapackages @{exec_path} { owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/mountinfo r, - @{PROC}/filesystems r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 0da4b4e4..09ee2295 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -133,7 +133,6 @@ profile k3s @{exec_path} { @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r, @{sys}/devices/system/edac/mc/ r, - @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 41900e11..e6059c33 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -189,10 +189,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/remove w, @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r, - @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/cpu[0-9]*/cache/{,**} r, @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r, - @{sys}/devices/system/cpu/possible r, @{sys}/devices/system/cpu/present r, @{sys}/devices/system/cpu/present/ r, @{sys}/devices/system/node/ r, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index ebf5ff34..66b6dac5 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -45,7 +45,6 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, - @{PROC}/filesystems r, deny @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/status r, diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 27afbd88..900cfbd3 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -32,7 +32,6 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/inhibit/[0-9]*.ref rw, @{run}/virtlogd.pid rwk, - @{sys}/devices/system/cpu/possible r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/meminfo r, diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd index a40c4249..f88f1e4f 100644 --- a/apparmor.d/profiles-a-f/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -38,7 +38,6 @@ profile apparmor.systemd @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, - @{PROC}/filesystems r, @{PROC}/mounts r, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 59245636..42eb0743 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -28,7 +28,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner /tmp/cri-containerd.apparmor.d[0-9]* r, - @{sys}/devices/system/cpu/possible r, @{sys}/kernel/security/apparmor/{,**} r, owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index cfe048fe..873fcac1 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -25,7 +25,6 @@ profile haveged @{exec_path} { @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, - @{sys}/devices/system/cpu/ r, @{sys}/devices/system/cpu/cpu*/cache/ r, @{sys}/devices/system/cpu/cpu*/cache/index*/{type,size,level} r, diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/profiles-g-l/losetup index b1f8a162..b15d2f0e 100644 --- a/apparmor.d/profiles-g-l/losetup +++ b/apparmor.d/profiles-g-l/losetup @@ -18,7 +18,6 @@ profile losetup @{exec_path} { @{exec_path} mr, @{sys}/devices/**/usb[0-9]/{,**} r, - @{sys}/devices/system/cpu/possible r, /dev/loop-control rw, /dev/loop[0-9]* rw, diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize index 86202bd4..a001c037 100644 --- a/apparmor.d/profiles-s-z/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -31,7 +31,6 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw, - @{sys}/devices/system/cpu/possible r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node[0-9]*/cpumap r, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 161876a4..b5e0d280 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -52,9 +52,6 @@ profile update-ca-certificates @{exec_path} { /usr/local/share/ r, - @{PROC}/filesystems r, - - profile run-parts { include diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen index 0fa668cb..52fa5c27 100644 --- a/apparmor.d/profiles-s-z/vlc-cache-gen +++ b/apparmor.d/profiles-s-z/vlc-cache-gen @@ -15,8 +15,6 @@ profile vlc-cache-gen @{exec_path} { /{usr/,}lib/vlc/plugins/{,*} rw, - @{sys}/devices/system/cpu/possible r, - # Inherit silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber index ac01019b..52dd9016 100644 --- a/apparmor.d/profiles-s-z/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -48,7 +48,6 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/pci[0-9]*/**/modalias r, @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r, - @{sys}/devices/system/cpu/possible r, /dev/media[0-9]* rw, /dev/snd/ r,