feat(profile): replace @{md5} by @{hex32}.

2024-11-14 23:43:56 +01:00 · 2024-03-19 21:26:12 +00:00 · 2024-03-19 21:26:12 +00:00 · bf613f59a5
commit bf613f59a5
parent ceb78d971e
24 changed files with 59 additions and 56 deletions
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@ -22,7 +22,7 @@
  /etc/pulse/client.conf.d/{,**} r,
  /etc/wildmidi/wildmidi.cfg r,

-  owner @{desktop_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,  # libcanberra
+  owner @{desktop_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,  # libcanberra
  owner @{desktop_config_dirs}/pulse/ rw,
  owner @{desktop_config_dirs}/pulse/client.conf r,
  owner @{desktop_config_dirs}/pulse/client.conf.d/{,*.conf} r,
@ -33,7 +33,7 @@
  owner @{HOME}/.libao r,
  owner @{HOME}/.esd_auth r,

-  owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,  # libcanberra
+  owner @{user_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,  # libcanberra

  owner @{user_config_dirs}/pulse/ rw,
  owner @{user_config_dirs}/pulse/client.conf r,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -130,7 +130,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {

  owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kioslaverc r,
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -46,9 +46,9 @@ profile dbus-system flags=(attach_disconnected) {
  /var/lib/dbus/machine-id r,

  @{desktop_share_dirs}/icc/ r,
-  @{desktop_share_dirs}/icc/edid-@{md5}.icc r,
+  @{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
  @{user_share_dirs}/icc/ r,
-  @{user_share_dirs}/icc/edid-@{md5}.icc r,
+  @{user_share_dirs}/icc/edid-@{hex32}.icc r,

  @{run}/systemd/users/@{int} r,
  @{run}/systemd/sessions/*.ref rw,
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -38,13 +38,13 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  owner @{desktop_config_dirs}/dconf/ w,
  owner @{desktop_config_dirs}/dconf/user rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
-  owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{DESKTOP_HOME}/greeter-dconf-defaults r,

  owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw,

  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  owner /dev/tty@{int} rw,

--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -22,7 +22,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {

  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
-  owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  owner /dev/tty@{int} rw,

--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@ -46,7 +46,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{desktop_config_dirs}/dconf/user r,
  owner @{desktop_config_dirs}/ibus/bus/ r,
-  owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  /dev/tty@{int} rw,

--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -21,7 +21,7 @@ profile ibus-memconf @{exec_path} {

  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
-  owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  include if exists <local/ibus-memconf>
 }
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -29,7 +29,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  owner @{desktop_config_dirs}/ibus/bus/ r,
-  owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  owner /dev/tty@{int} rw,

--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -32,12 +32,12 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  owner @{desktop_config_dirs}/ibus/bus/ r,
-  owner @{desktop_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw,

  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  owner /dev/tty@{int} rw,

--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@ -39,10 +39,10 @@ profile child-systemctl flags=(attach_disconnected) {
  /etc/systemd/user/{,**} rwl,

  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/@{md5}/ r,
-  /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
-  /{run,var}/log/journal/@{md5}/system.journal* r,
-  /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/ r,
+  /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/system.journal* r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,

  @{run}/systemd/private rw,

--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -101,7 +101,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  owner @{user_config_dirs}/gnome-control-center/{,**} rw,
  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
  owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,

--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -53,7 +53,7 @@ profile gnome-initial-setup @{exec_path} {
  owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6}BQK2 rw,

  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  @{run}/systemd/sessions/@{int} r,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -252,7 +252,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_cache_dirs}/ w,
-  owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
+  owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,
  owner @{gdm_cache_dirs}/fontconfig/{,*} rwl,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw,
  owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
@ -266,7 +266,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_config_dirs}/ibus/ rw,
  owner @{gdm_config_dirs}/ibus/bus/ rw,
-  owner @{gdm_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{gdm_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner @{gdm_config_dirs}/pulse/ rw,
  owner @{gdm_config_dirs}/pulse/client.conf r,
  owner @{gdm_config_dirs}/pulse/cookie rwk,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -57,7 +57,7 @@ profile gnome-terminal-server @{exec_path} {

  owner @{user_config_dirs}/*xdg-terminals.list* rw,
  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

  owner /tmp/#@{int} rw,

--- a/apparmor.d/groups/kde/drkonqi-coredump-processor
+++ b/apparmor.d/groups/kde/drkonqi-coredump-processor
@ -18,11 +18,11 @@ profile drkonqi-coredump-processor @{exec_path} {
  /usr/share/icu/@{int}.@{int}/*.dat r,

  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/@{md5}/ r,
-  /{run,var}/log/journal/@{md5}/system.journal r,
-  /{run,var}/log/journal/@{md5}/system@@{hex}.journal r,
-  /{run,var}/log/journal/@{md5}/user-@{uid}.journal r,
-  /{run,var}/log/journal/@{md5}/user-@{uid}@@{hex}.journal r,
+  /{run,var}/log/journal/@{hex32}/ r,
+  /{run,var}/log/journal/@{hex32}/system.journal r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex}.journal r,
+  /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r,
+  /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}.journal r,

  include if exists <local/drkonqi-coredump-processor>
 }
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -36,12 +36,14 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
  /var/lib/systemd/catalog/.#database* rw,

        /{run,var}/log/journal/ r,
-        /{run,var}/log/journal/@{md5}/ r,
-        /{run,var}/log/journal/@{md5}/system.journal* r,
-        /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw,
-        /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw,
-  owner /{run,var}/log/journal/@{md5}/fss wl -> /var/log/journal/@{md5}/fss.tmp.*,
-  owner /{run,var}/log/journal/@{md5}/fss.tmp.* rw,
+        /{run,var}/log/journal/@{hex32}/ r,
+        /{run,var}/log/journal/@{hex32}/system.journal* r,
+        /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal* rw,
+        /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw,
+        /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw,
+        /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex}-@{hex}.journal* rw,
+  owner /{run,var}/log/journal/@{hex32}/fss wl -> /var/log/journal/@{hex32}/fss.tmp.*,
+  owner /{run,var}/log/journal/@{hex32}/fss.tmp.* rw,
  owner /var/tmp/#@{int} rw,

  @{run}/host/container-manager r,
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -46,10 +46,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
  # To be able to read logs
  @{run}/log/ r,
  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/@{md5}/ r,
-  /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
-  /{run,var}/log/journal/@{md5}/system.journal* r,
-  /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/ r,
+  /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/system.journal* r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,

  @{run}/systemd/netif/leases/@{int} r,
  @{run}/systemd/netif/links/@{int} r,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -36,8 +36,8 @@ profile systemd-journald @{exec_path} {

  @{run}/log/ rw,
  /{run,var}/log/journal/ rw,
-  /{run,var}/log/journal/@{md5}/ rw,
-  /{run,var}/log/journal/@{md5}/* rwl -> /{run,var}/log/journal/@{md5}/#@{int},
+  /{run,var}/log/journal/@{hex32}/ rw,
+  /{run,var}/log/journal/@{hex32}/* rwl -> /{run,var}/log/journal/@{hex32}/#@{int},

  owner @{run}/systemd/journal/{,**} rw,
  owner @{run}/systemd/notify rw,
--- a/apparmor.d/groups/ubuntu/subiquity-console-conf
+++ b/apparmor.d/groups/ubuntu/subiquity-console-conf
@ -99,10 +99,10 @@ profile subiquity-console-conf @{exec_path} {

    @{run}/log/ rw,
    /{run,var}/log/journal/ rw,
-    /{run,var}/log/journal/@{md5}/ rw,
-    /{run,var}/log/journal/@{md5}/system.journal* rw,
-    /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw,
-    /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw,
+    /{run,var}/log/journal/@{hex32}/ rw,
+    /{run,var}/log/journal/@{hex32}/system.journal* rw,
+    /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* rw,
+    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw,

    owner @{PROC}/@{pid}/stat r,

--- a/apparmor.d/groups/whonix/torbrowser-wrapper
+++ b/apparmor.d/groups/whonix/torbrowser-wrapper
@ -51,10 +51,10 @@ profile torbrowser-wrapper @{exec_path} {
    /etc/machine-id r,

    /{run,var}/log/journal/ r,
-    /{run,var}/log/journal/@{md5}/ r,
-    /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
-    /{run,var}/log/journal/@{md5}/system.journal* r,
-    /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
+    /{run,var}/log/journal/@{hex32}/ r,
+    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
+    /{run,var}/log/journal/@{hex32}/system.journal* r,
+    /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
    
    include if exists <local/torbrowser-wrapper_systemctl>
  }
--- a/apparmor.d/groups/whonix/whonix-firewall-restarter
+++ b/apparmor.d/groups/whonix/whonix-firewall-restarter
@ -32,10 +32,10 @@ profile whonix-firewall-restarter @{exec_path} {
  /etc/machine-id r,

  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/@{md5}/ r,
-  /{run,var}/log/journal/@{md5}/user-@{hex}.journal* r,
-  /{run,var}/log/journal/@{md5}/system.journal* r,
-  /{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/ r,
+  /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/system.journal* r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,

 owner /tmp/tmp.@{rand10} rw,

--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@ -25,7 +25,7 @@ profile aa-log @{exec_path} {
  /var/log/syslog* r,

  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/@{md5}/{,*} r,
+  /{run,var}/log/journal/@{hex32}/{,*} r,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

--- a/apparmor.d/profiles-g-l/hw-probe
+++ b/apparmor.d/profiles-g-l/hw-probe
@ -134,10 +134,10 @@ profile hw-probe @{exec_path} {

    @{run}/log/ rw,
    /{run,var}/log/journal/ rw,
-    /{run,var}/log/journal/@{md5}/ rw,
-    /{run,var}/log/journal/@{md5}/user-@{hex}.journal* rw,
-    /{run,var}/log/journal/@{md5}/system.journal* rw,
-    /{run,var}/log/journal/@{md5}/system@@{hex}.journal* rw,
+    /{run,var}/log/journal/@{hex32}/ rw,
+    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw,
+    /{run,var}/log/journal/@{hex32}/system.journal* rw,
+    /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* rw,

    owner @{PROC}/@{pid}/stat r,

--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@ -65,6 +65,7 @@ var (
 		`:1.[0-9]*`, `:*`, // dbus peer name
 		`@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell
 		`@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses
+		`[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]`, `@{hex32}`,
 		`[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][-_][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]`, `@{uuid}`,
 		`[0-9][0-9][0-9][0-9][0-9][0-9]+`, `@{int}`,