diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 3c77eca7..c45f9a9d 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -40,8 +40,8 @@ profile cron @{exec_path} { /etc/cron.d/{,*} r, /etc/crontab r, /etc/default/locale r, - /etc/environment r, - /etc/security/limits.d/{,**} r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,**} r, /var/spool/cron/crontabs/{,*} r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 3dbfbbbd..1f16af99 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -50,7 +50,7 @@ profile cron-exim4-base @{exec_path} { owner @{PROC}/@{pid}/fd/ r, @{PROC}/1/limits r, - /etc/security/limits.d/ r, + @{etc_ro}/security/limits.d/ r, include if exists } diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index d9c55930..2bd878ef 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -100,7 +100,7 @@ profile cron-popularity-contest @{exec_path} { owner @{PROC}/@{pids}/loginuid r, @{PROC}/1/limits r, - /etc/security/limits.d/ r, + @{etc_ro}/security/limits.d/ r, /var/log/popularity-contest.new w, diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb index 46b78a42..b540380a 100644 --- a/apparmor.d/groups/freedesktop/xrdb +++ b/apparmor.d/groups/freedesktop/xrdb @@ -22,7 +22,7 @@ profile xrdb @{exec_path} { /usr/include/stdc-predef.h r, - /etc/X11/Xresources/x11-common r, + @{etc_ro}/Xresources/x11-common r, # The location of the .Xresources file owner @{HOME}/.Xresources r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index b162baaf..e36e550d 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -67,15 +67,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/gdm.schemas r, /usr/share/wayland-sessions/*.desktop r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*.conf} r, /etc/default/locale r, - /etc/environment r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, /etc/locale.conf r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, - /etc/security/limits.d/{,*.conf} r, /etc/shells r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session index 89ea3c98..f6b6e8ad 100644 --- a/apparmor.d/groups/gnome/gdm-wayland-session +++ b/apparmor.d/groups/gnome/gdm-wayland-session @@ -65,6 +65,7 @@ profile gdm-wayland-session @{exec_path} { /{usr/,}bin/gettext.sh r, /usr/share/im-config/{,**} r, + @{etc_ro}/profile.d/{,*} r, /etc/debuginfod/{,*} r, /etc/default/im-config r, /etc/gdm{3,}/custom.conf r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 64f74ef7..6fb8633a 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -201,7 +201,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/session-migration/scripts/{,*} r, /etc/gnome/defaults.list r, - /etc/xdg/autostart/{,*.desktop} r, + @{etc_ro}/xdg/autostart/{,*.desktop} r, /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw, /var/lib/gdm{3,}/.config/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 83edc8c8..6f17f4b4 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -133,8 +133,8 @@ profile gsd-xsettings @{exec_path} { /usr/share/libdrm/*.ids r, /etc/X11/Xsession.options r, - /etc/xdg/Xwayland-session.d/ r, - /etc/xdg/Xwayland-session.d/* rix, + @{etc_ro}/xdg/Xwayland-session.d/ r, + @{etc_ro}/xdg/Xwayland-session.d/* rix, /var/lib/gdm{3,}/.config/dconf/user r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index e788671c..84e28831 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -68,15 +68,15 @@ profile sshd @{exec_path} flags=(attach_disconnected) { /etc/shells r, /etc/default/locale r, - /etc/environment r, + @{etc_ro}/environment r, /etc/gss/mech.d/{,*} r, /etc/issue.net r, /etc/motd r, - /etc/security/limits.d/{,*.conf} r, + @{etc_ro}/security/limits.d/{,*.conf} r, + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ssh/ssh_host_* r, - /etc/ssh/sshd_config r, - /etc/ssh/sshd_config.d/{,*} r, # For scp owner @{user_download_dirs}/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator index d5c5d99b..5f4d7853 100644 --- a/apparmor.d/groups/systemd/systemd-environment-d-generator +++ b/apparmor.d/groups/systemd/systemd-environment-d-generator @@ -19,8 +19,8 @@ profile systemd-environment-d-generator @{exec_path} { /{usr/,}bin/gpgconf rPx, /{usr/,}bin/{m,g,}awk rix, - /etc/environment r, - /etc/environment.d/{,**} r, + @{etc_ro}/environment r, + @{etc_ro}/environment.d/{,**} r, owner @{user_config_dirs}/environment.d/{,*.conf} r, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index a25a1159..1344a57a 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -29,8 +29,8 @@ profile atd @{exec_path} { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}{s,}bin/sendmail rPUx, - /etc/environment r, - /etc/security/limits.d/ r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/ r, /var/spool/cron/atjobs/{,*} rwl, /var/spool/cron/atspool/{,*} rwl, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index fadcbb05..9414b670 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -119,7 +119,7 @@ profile check-support-status-hook @{exec_path} { owner @{PROC}/@{pids}/loginuid r, @{PROC}/1/limits r, - /etc/security/limits.d/ r, + @{etc_ro}/security/limits.d/ r, /tmp/ r, owner /tmp/debian-security-support.postinst.*/output w, diff --git a/apparmor.d/profiles-g-l/lightdm b/apparmor.d/profiles-g-l/lightdm index 527db871..104e87fc 100644 --- a/apparmor.d/profiles-g-l/lightdm +++ b/apparmor.d/profiles-g-l/lightdm @@ -96,14 +96,14 @@ profile lightdm @{exec_path} { @{run}/lightdm.pid rw, @{PROC}/1/limits r, - /etc/security/limits.d/ r, + @{etc_ro}/security/limits.d/ r, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, - /etc/environment r, + @{etc_ro}/environment r, /etc/default/locale r, /dev/tty[0-9]* r, diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index 6b0fe12c..356fc74b 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -37,12 +37,12 @@ profile login @{exec_path} flags=(complain) { /{usr/,}bin/{,z,ba,da}sh rUx, /etc/default/locale r, - /etc/environment r, + @{etc_ro}/environment r, /etc/legal r, /etc/motd r, /etc/security/group.conf r, /etc/security/limits.conf r, - /etc/security/limits.d/{,*} r, + @{etc_ro}/security/limits.d/{,*} r, /etc/security/pam_env.conf r, /etc/shells r, diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec index f6edbade..f1528e40 100644 --- a/apparmor.d/profiles-m-r/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -61,9 +61,9 @@ profile pkexec @{exec_path} flags=(complain) { @{libexec}/cc-remote-login-helper rPx, /etc/shells r, - /etc/environment r, + @{etc_ro}/environment r, /etc/default/locale r, - /etc/security/limits.d/{,*} r, + @{etc_ro}/security/limits.d/{,*} r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 7dc9249f..4068e0ce 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -39,7 +39,7 @@ profile runuser @{exec_path} { owner @{PROC}/@{pid}/loginuid r, @{PROC}/1/limits r, - /etc/security/limits.d/ r, + @{etc_ro}/security/limits.d/ r, /etc/default/runuser r, diff --git a/apparmor.d/profiles-s-z/sddm b/apparmor.d/profiles-s-z/sddm index 1f205589..210cf590 100644 --- a/apparmor.d/profiles-s-z/sddm +++ b/apparmor.d/profiles-s-z/sddm @@ -139,12 +139,12 @@ profile sddm @{exec_path} { /{usr/,}lib/@{multiarch}/ld-*.so mr, - /etc/security/limits.d/ r, + @{etc_ro}/security/limits.d/ r, owner @{HOME}/.Xauthority rw, /etc/default/locale r, - /etc/environment r, + @{etc_ro}/environment r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su index 114f2f13..94a89dfa 100644 --- a/apparmor.d/profiles-s-z/su +++ b/apparmor.d/profiles-s-z/su @@ -48,8 +48,8 @@ profile su @{exec_path} { /{usr/,}{s,}bin/nologin rPx, /etc/default/locale r, - /etc/environment r, - /etc/security/limits.d/ r, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/ r, /etc/shells r, owner @{PROC}/@{pids}/loginuid r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 0aca7c62..a03431bc 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -54,10 +54,10 @@ profile sudo @{exec_path} { /{usr/,}lib/cockpit/cockpit-askpass rPx, /{usr/,}lib/molly-guard/molly-guard rPx, + @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, - /etc/environment r, /etc/machine-id r, - /etc/security/limits.d/{,*} r, /etc/sudo.conf r, /etc/sudoers r, /etc/sudoers.d/{,*} r,