add more unconfined profiles

These applications need to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-03-04 00:14:44 +01:00 · 2024-02-06 15:10:20 -03:00 · 2024-02-06 15:10:20 -03:00 · 89a9f76733
commit 89a9f76733
parent 48d475036a
4 changed files with 48 additions and 0 deletions
--- a/profiles/apparmor.d/devhelp
+++ b/profiles/apparmor.d/devhelp
@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile devhelp /usr/bin/devhelp flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/devhelp>
+}
--- a/profiles/apparmor.d/epiphany
+++ b/profiles/apparmor.d/epiphany
@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile epiphany /usr/bin/epiphany{,-browser} flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/epiphany>
+}
--- a/profiles/apparmor.d/evolution
+++ b/profiles/apparmor.d/evolution
@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile evolution /usr/bin/evolution flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/evolution>
+}
--- a/profiles/apparmor.d/opam
+++ b/profiles/apparmor.d/opam
@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile opam /usr/bin/opam flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/opam>
+}