refractor(profiles): improve child profile structure.

apparmor.d/groups/children/child-dpkg

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Note: This profile does not specify an attachment path because it is
@@ -12,7 +13,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# Do not attach to @{bin}/dpkg by default
+@{exec_path} = @{bin}/dpkg
 profile child-dpkg {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -21,7 +22,7 @@ profile child-dpkg {
   capability dac_read_search,
   capability setgid,
 
-  @{bin}/dpkg mr,
+  @{exec_path} mr,
 
   # Do not strip env to avoid errors like the following:
   #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open

apparmor.d/groups/children/child-dpkg-divert

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Note: This profile does not specify an attachment path because it is
@@ -12,11 +13,11 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# Do not attach to @{bin}/dpkg-divert by default
+@{exec_path} = @{bin}/dpkg-divert
 profile child-dpkg-divert {
   include <abstractions/base>
 
-  @{bin}/dpkg-divert mr,
+  @{exec_path} mr,
 
   /var/lib/dpkg/arch r,
   /var/lib/dpkg/status r,

apparmor.d/groups/children/child-open

@@ -16,7 +16,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# App allowed to open
+@{exec_path}  = @{bin}/exo-open @{bin}/xdg-open 
+@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
 profile child-open {
   include <abstractions/base>
   include <abstractions/dri-enumerate>
@@ -24,10 +25,7 @@ profile child-open {
   include <abstractions/vulkan>
   include <abstractions/xdg-open>
 
-  @{bin}/exo-open                                     mr,
+  @{exec_path} mrix,
-  @{bin}/xdg-open                                     mr,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
-  @{lib}/gio-launch-desktop                           mrix,
 
   @{bin}/{,ba,da}sh        rix,
   @{bin}/{,m,g}awk         rix,

apparmor.d/groups/children/child-pager

@@ -13,7 +13,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# Do not attach to @{bin}/pager by default
+@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more 
 profile child-pager {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -24,9 +24,7 @@ profile child-pager {
   signal (receive) set=(stop, cont, term, kill),
 
   @{bin}/       r,
-  @{bin}/pager mr,
+  @{exec_path} mr,
-  @{bin}/less  mr,
-  @{bin}/more  mr,
 
   @{system_share_dirs}/terminfo/{,**} r,
 

apparmor.d/groups/children/child-systemctl

@@ -13,7 +13,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# Do not attach to @{bin}/systemctl by default
+@{exec_path} = @{bin}/systemctl
 profile child-systemctl flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) {
        interface=org.freedesktop.systemd[0-9].Manager
        member=GetUnitFileState,
 
-  @{bin}/systemctl mr,
+  @{exec_path} mr,
 
   /etc/machine-id r,
   /etc/systemd/user/{,**} rwl,