diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 5f2c8396..7d0f1db4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -34,8 +34,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, @{bin}/grep rix, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index e8d3aa4e..7f533e58 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -38,8 +38,7 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell @{bin}/htop rPx, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index e38a029d..68011ae1 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -26,8 +26,7 @@ profile kgx @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell @{bin}/htop rPx, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 3af273fd..554262ce 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -61,8 +61,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, @{bin}/false rix, @{bin}/nologin rPx, @{bin}/passwd rPx, diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code index 84d58761..9f3b54ba 100644 --- a/apparmor.d/profiles-a-f/code +++ b/apparmor.d/profiles-a-f/code @@ -42,8 +42,7 @@ profile code flags=(attach_disconnected) { @{open_path} rPx -> child-open, # The shell is not confined on purpose. - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, # Confine some common tools @{lib}/code/extensions/git/dist/askpass.sh rPx, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 82177368..ea9f2de8 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -37,8 +37,8 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/{,z,ba,da}sh rUx, - @{bin}/unix_chkpwd rPx, + @{bin}/@{shells} rUx, + @{bin}/unix_chkpwd rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*} r, diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp index 59ac4ee3..5b9ee6f4 100644 --- a/apparmor.d/profiles-m-r/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -21,8 +21,7 @@ profile newgrp @{exec_path} { @{exec_path} mr, - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, /etc/{passwd,group,shadow,gshadow} r, diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings index 19d7e5a6..f1c51e58 100644 --- a/apparmor.d/profiles-m-r/pam/mappings +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -41,8 +41,7 @@ capability setgid, capability setuid, - @{bin}/{,b,d,rb}ash rPx -> confined_user, - @{bin}/{c,k,tc,z}sh rPx -> confined_user, + @{bin}/@{shells} rPx -> confined_user, /etc/default/su r, @{etc_ro}/environment r, @@ -63,8 +62,7 @@ capability setgid, capability setuid, - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, /etc/default/su r, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 0e812901..bbbc75de 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -44,8 +44,7 @@ profile su @{exec_path} { @{exec_path} mr, - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, @{bin}/nologin rPx, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 32588283..eb1bf21a 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -53,8 +53,7 @@ profile sudo @{exec_path} { @{exec_path} mr, @{lib}/sudo/** mr, - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, @{lib}/** rPUx, /opt/*/** rPUx, /snap/snapd/@{int}@{bin}/snap rPUx, diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin index 06182c00..474c1ca1 100644 --- a/apparmor.d/profiles-s-z/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -16,8 +16,7 @@ profile sulogin @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, /etc/shadow r, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 51db6333..41b7d32d 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -29,8 +29,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { @{bin}/python3.@{int} rix, # The shell is not confined on purpose. - @{bin}/{,b,d,rb}ash rUx, - @{bin}/{c,k,tc,z}sh rUx, + @{bin}/@{shells} rUx, owner @{user_config_dirs}/terminator/{,**} rw, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 1266956f..73023e8a 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -4,6 +4,9 @@ # Define some paths for some commonly used programs +# All the shells +@{shells} = sh zsh bash dash fish rbash ksh tcsh csh + # Browsers @{brave_name} = brave{,-beta,-dev,-bin}