feat(profiles): use /etc read only variable: etc_ro

2025-01-18 00:48:10 +01:00 · 2023-02-04 23:34:29 +00:00 · 2023-02-04 23:34:29 +00:00 · bac87f9547
commit bac87f9547
parent 6e56cfccc9
19 changed files with 33 additions and 32 deletions
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -40,8 +40,8 @@ profile cron @{exec_path} {
  /etc/cron.d/{,*} r,
  /etc/crontab r,
  /etc/default/locale r,
-  /etc/environment r,
-  /etc/security/limits.d/{,**} r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,**} r,

  /var/spool/cron/crontabs/{,*} r,

--- a/apparmor.d/groups/cron/cron-exim4-base
+++ b/apparmor.d/groups/cron/cron-exim4-base
@ -50,7 +50,7 @@ profile cron-exim4-base @{exec_path} {
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/1/limits r,

-  /etc/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/ r,

  include if exists <local/cron-exim4-base>
 }
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@ -100,7 +100,7 @@ profile cron-popularity-contest @{exec_path} {
    owner @{PROC}/@{pids}/loginuid r,
          @{PROC}/1/limits r,

-    /etc/security/limits.d/ r,
+    @{etc_ro}/security/limits.d/ r,

    /var/log/popularity-contest.new w,

--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@ -22,7 +22,7 @@ profile xrdb @{exec_path} {

  /usr/include/stdc-predef.h r,

-  /etc/X11/Xresources/x11-common r,
+  @{etc_ro}/Xresources/x11-common r,

  # The location of the .Xresources file
  owner @{HOME}/.Xresources r,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -67,15 +67,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/gdm.schemas r,
  /usr/share/wayland-sessions/*.desktop r,

+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
  /etc/default/locale r,
-  /etc/environment r,
  /etc/gdm{3,}/custom.conf r,
  /etc/gdm{3,}/daemon.conf r,
  /etc/locale.conf r,
  /etc/machine-id r,
  /etc/motd r,
  /etc/motd.d/ r,
-  /etc/security/limits.d/{,*.conf} r,
  /etc/shells r,

  owner @{run}/user/@{uid}/keyring/control rw,
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@ -65,6 +65,7 @@ profile gdm-wayland-session @{exec_path} {
  /{usr/,}bin/gettext.sh r,
  /usr/share/im-config/{,**} r,

+  @{etc_ro}/profile.d/{,*} r,
  /etc/debuginfod/{,*} r,
  /etc/default/im-config r,
  /etc/gdm{3,}/custom.conf r,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -201,7 +201,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /usr/share/session-migration/scripts/{,*} r,

  /etc/gnome/defaults.list r,
-  /etc/xdg/autostart/{,*.desktop} r,
+  @{etc_ro}/xdg/autostart/{,*.desktop} r,

  /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -133,8 +133,8 @@ profile gsd-xsettings @{exec_path} {
  /usr/share/libdrm/*.ids r,

  /etc/X11/Xsession.options r,
-  /etc/xdg/Xwayland-session.d/ r,
-  /etc/xdg/Xwayland-session.d/* rix,
+  @{etc_ro}/xdg/Xwayland-session.d/ r,
+  @{etc_ro}/xdg/Xwayland-session.d/* rix,

  /var/lib/gdm{3,}/.config/dconf/user r,

--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -68,15 +68,15 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  /etc/shells r,
  /etc/default/locale r,
-  /etc/environment r,
+  @{etc_ro}/environment r,
  /etc/gss/mech.d/{,*} r,
  /etc/issue.net r,
  /etc/motd r,
-  /etc/security/limits.d/{,*.conf} r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,

+  @{etc_ro}/ssh/sshd_config r,
+  @{etc_ro}/ssh/sshd_config.d/{,*} r,
  /etc/ssh/ssh_host_* r,
-  /etc/ssh/sshd_config r,
-  /etc/ssh/sshd_config.d/{,*} r,

  # For scp
  owner @{user_download_dirs}/{,**} rwl,
--- a/apparmor.d/groups/systemd/systemd-environment-d-generator
+++ b/apparmor.d/groups/systemd/systemd-environment-d-generator
@ -19,8 +19,8 @@ profile systemd-environment-d-generator @{exec_path} {
  /{usr/,}bin/gpgconf     rPx,
  /{usr/,}bin/{m,g,}awk   rix,

-  /etc/environment r,
-  /etc/environment.d/{,**} r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/environment.d/{,**} r,

  owner @{user_config_dirs}/environment.d/{,*.conf} r,

--- a/apparmor.d/profiles-a-f/atd
+++ b/apparmor.d/profiles-a-f/atd
@ -29,8 +29,8 @@ profile atd @{exec_path} {
  /{usr/,}bin/{,ba,da}sh    rix,
  /{usr/,}{s,}bin/sendmail  rPUx,

-  /etc/environment r,
-  /etc/security/limits.d/ r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/ r,

  /var/spool/cron/atjobs/{,*} rwl,
  /var/spool/cron/atspool/{,*} rwl,
--- a/apparmor.d/profiles-a-f/check-support-status-hook
+++ b/apparmor.d/profiles-a-f/check-support-status-hook
@ -119,7 +119,7 @@ profile check-support-status-hook @{exec_path} {
    owner @{PROC}/@{pids}/loginuid r,
          @{PROC}/1/limits r,

-    /etc/security/limits.d/ r,
+    @{etc_ro}/security/limits.d/ r,

          /tmp/ r,
    owner /tmp/debian-security-support.postinst.*/output w,
--- a/apparmor.d/profiles-g-l/lightdm
+++ b/apparmor.d/profiles-g-l/lightdm
@ -96,14 +96,14 @@ profile lightdm @{exec_path} {
  @{run}/lightdm.pid rw,

  @{PROC}/1/limits r,
-  /etc/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/ r,

  owner @{PROC}/@{pid}/uid_map r,
  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/cmdline r,

-  /etc/environment r,
+  @{etc_ro}/environment r,
  /etc/default/locale r,

  /dev/tty[0-9]* r,
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@ -37,12 +37,12 @@ profile login @{exec_path} flags=(complain) {
  /{usr/,}bin/{,z,ba,da}sh  rUx,

  /etc/default/locale r,
-  /etc/environment r,
+  @{etc_ro}/environment r,
  /etc/legal r,
  /etc/motd r,
  /etc/security/group.conf r,
  /etc/security/limits.conf r,
-  /etc/security/limits.d/{,*} r,
+  @{etc_ro}/security/limits.d/{,*} r,
  /etc/security/pam_env.conf r,
  /etc/shells r,

--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@ -61,9 +61,9 @@ profile pkexec @{exec_path} flags=(complain) {
  @{libexec}/cc-remote-login-helper rPx,

  /etc/shells r,
-  /etc/environment r,
+  @{etc_ro}/environment r,
  /etc/default/locale r,
-  /etc/security/limits.d/{,*} r,
+  @{etc_ro}/security/limits.d/{,*} r,

        @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-m-r/runuser
+++ b/apparmor.d/profiles-m-r/runuser
@ -39,7 +39,7 @@ profile runuser @{exec_path} {
  owner @{PROC}/@{pid}/loginuid r,
        @{PROC}/1/limits r,

-  /etc/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/ r,

  /etc/default/runuser r,

--- a/apparmor.d/profiles-s-z/sddm
+++ b/apparmor.d/profiles-s-z/sddm
@ -139,12 +139,12 @@ profile sddm @{exec_path} {

  /{usr/,}lib/@{multiarch}/ld-*.so mr,

-  /etc/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/ r,

  owner @{HOME}/.Xauthority rw,

  /etc/default/locale r,
-  /etc/environment r,
+  @{etc_ro}/environment r,

  owner @{PROC}/@{pid}/loginuid rw,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -48,8 +48,8 @@ profile su @{exec_path} {
  /{usr/,}{s,}bin/nologin   rPx,

  /etc/default/locale r,
-  /etc/environment r,
-  /etc/security/limits.d/ r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/ r,
  /etc/shells r,

  owner @{PROC}/@{pids}/loginuid r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -54,10 +54,10 @@ profile sudo @{exec_path} {
  /{usr/,}lib/cockpit/cockpit-askpass  rPx,
  /{usr/,}lib/molly-guard/molly-guard  rPx,

+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*} r,
  /etc/default/locale r,
-  /etc/environment r,
  /etc/machine-id r,
-  /etc/security/limits.d/{,*} r,
  /etc/sudo.conf r,
  /etc/sudoers r,
  /etc/sudoers.d/{,*} r,