feat: add the new shells variable to ensure support for all interactive shell.

Fix #269
2025-01-18 00:48:10 +01:00 · 2024-01-25 13:16:40 +00:00 · 2024-01-25 13:16:40 +00:00 · a30c2e5e85
commit a30c2e5e85
parent b376e9fade
13 changed files with 17 additions and 26 deletions
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -34,8 +34,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/{,b,d,rb}ash  rUx,
-  @{bin}/{c,k,tc,z}sh  rUx,
+  @{bin}/@{shells}     rUx,

  @{bin}/gcm-viewer    rix,
  @{bin}/grep          rix,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -38,8 +38,7 @@ profile gnome-terminal-server @{exec_path} {
  @{exec_path} mr,

  # The shell is not confined on purpose.
-  @{bin}/{,b,d,rb}ash         rUx,
-  @{bin}/{c,k,tc,z}sh         rUx,
+  @{bin}/@{shells}            rUx,

  # Some CLI program can be launched directly from Gnome Shell
  @{bin}/htop                 rPx,
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@ -26,8 +26,7 @@ profile kgx @{exec_path} {
  @{exec_path} mr,

  # The shell is not confined on purpose.
-  @{bin}/{,b,d,rb}ash         rUx,
-  @{bin}/{c,k,tc,z}sh         rUx,
+  @{bin}/@{shells}           rUx,

  # Some CLI program can be launched directly from Gnome Shell
  @{bin}/htop                 rPx,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -61,8 +61,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mrix,

-  @{bin}/{,b,d,rb}ash         rUx,
-  @{bin}/{c,k,tc,z}sh         rUx,
+  @{bin}/@{shells}            rUx,
  @{bin}/false                rix,
  @{bin}/nologin              rPx,
  @{bin}/passwd               rPx,
--- a/apparmor.d/profiles-a-f/code
+++ b/apparmor.d/profiles-a-f/code
@ -42,8 +42,7 @@ profile code flags=(attach_disconnected) {
  @{open_path}                  rPx -> child-open,

  # The shell is not confined on purpose.
-  @{bin}/{,b,d,rb}ash         rUx,
-  @{bin}/{c,k,tc,z}sh         rUx,
+  @{bin}/@{shells}              rUx,

  # Confine some common tools
  @{lib}/code/extensions/git/dist/askpass.sh     rPx,
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@ -37,7 +37,7 @@ profile login @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/{,z,ba,da}sh  rUx,
+  @{bin}/@{shells}     rUx,
  @{bin}/unix_chkpwd   rPx,

  @{etc_ro}/environment r,
--- a/apparmor.d/profiles-m-r/newgrp
+++ b/apparmor.d/profiles-m-r/newgrp
@ -21,8 +21,7 @@ profile newgrp @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,b,d,rb}ash rUx,
-  @{bin}/{c,k,tc,z}sh rUx,
+  @{bin}/@{shells}     rUx,

  /etc/{passwd,group,shadow,gshadow} r,

--- a/apparmor.d/profiles-m-r/pam/mappings
+++ b/apparmor.d/profiles-m-r/pam/mappings
@ -41,8 +41,7 @@
  capability setgid,
  capability setuid,

-  @{bin}/{,b,d,rb}ash rPx -> confined_user,
-  @{bin}/{c,k,tc,z}sh rPx -> confined_user,
+  @{bin}/@{shells}    rPx -> confined_user,

  /etc/default/su r,
  @{etc_ro}/environment r,
@ -63,8 +62,7 @@
  capability setgid,
  capability setuid,

-  @{bin}/{,b,d,rb}ash rUx,
-  @{bin}/{c,k,tc,z}sh rUx,
+  @{bin}/@{shells}     rUx,

  /etc/default/su r,
  @{etc_ro}/environment r,
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -44,8 +44,7 @@ profile su @{exec_path} {

  @{exec_path} mr,

-  @{bin}/{,b,d,rb}ash  rUx,
-  @{bin}/{c,k,tc,z}sh  rUx,
+  @{bin}/@{shells}     rUx,

  @{bin}/nologin       rPx,

--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -53,8 +53,7 @@ profile sudo @{exec_path} {
  @{exec_path} mr,
  @{lib}/sudo/** mr,

-  @{bin}/{,b,d,rb}ash               rUx,
-  @{bin}/{c,k,tc,z}sh               rUx,
+  @{bin}/@{shells}                 rUx,
  @{lib}/**                        rPUx,
  /opt/*/**                        rPUx,
  /snap/snapd/@{int}@{bin}/snap    rPUx,
--- a/apparmor.d/profiles-s-z/sulogin
+++ b/apparmor.d/profiles-s-z/sulogin
@ -16,8 +16,7 @@ profile sulogin @{exec_path} {
  @{exec_path} mr,

  # The shell is not confined on purpose.
-  @{bin}/{,b,d,rb}ash         rUx,
-  @{bin}/{c,k,tc,z}sh         rUx,
+  @{bin}/@{shells}     rUx,

  /etc/shadow r,

--- a/apparmor.d/profiles-s-z/terminator
+++ b/apparmor.d/profiles-s-z/terminator
@ -29,8 +29,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) {
  @{bin}/python3.@{int} rix,

  # The shell is not confined on purpose.
-  @{bin}/{,b,d,rb}ash         rUx,
-  @{bin}/{c,k,tc,z}sh         rUx,
+  @{bin}/@{shells}      rUx,

  owner @{user_config_dirs}/terminator/{,**} rw,

--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@ -4,6 +4,9 @@

 # Define some paths for some commonly used programs

+# All the shells
+@{shells} = sh zsh bash dash fish rbash ksh tcsh csh
+
 # Browsers

@{brave_name} = brave{,-beta,-dev,-bin}