Merge branch 'cboltz-2.11-revert-sbin-bin' into 'apparmor-2.11'

[2.11] revert {bin,sbin} and some more profile name changes Revert two commits that changed the profile name (which also meens signal peer=... rules need to be changed), which is something we should avoid in an old branch. revert backport of https://gitlab.com/apparmor/apparmor/merge_requests/149 (merged): PR: https://gitlab.com/apparmor/apparmor/merge_requests/248 Acked-by: John Johansen <john.johansen@canonical.com>
2025-03-06 17:31:01 +01:00 · 2018-10-22 02:09:48 +00:00 · 2018-10-22 02:09:48 +00:00 · e4fc384ae2
commit e4fc384ae2
parent eaa7f03064 002fda8718
21 changed files with 54 additions and 51 deletions
--- a/profiles/apparmor.d/abstractions/apache2-common
+++ b/profiles/apparmor.d/abstractions/apache2-common
@ -7,9 +7,9 @@
  # Allow unconfined processes to send us signals by default
  signal (receive) peer=unconfined,
  # Allow apache to send us signals by default
-  signal (receive) peer=/usr/{bin,sbin}/apache2,
+  signal (receive) peer=/usr/sbin/apache2,
  # Allow other hats to signal by default
-  signal peer=/usr/{bin,sbin}/apache2//*,
+  signal peer=/usr/sbin/apache2//*,
  # Allow us to signal ourselves
  signal peer=@{profile_name},
--- a/profiles/apparmor.d/abstractions/dovecot-common
+++ b/profiles/apparmor.d/abstractions/dovecot-common
@ -14,6 +14,6 @@
  deny capability block_suspend,
  # dovecot's master can send us signals
-  signal receive peer=/usr/{bin,sbin}/dovecot,
+  signal receive peer=/usr/sbin/dovecot,
  /{var/,}run/dovecot/config rw,
--- a/profiles/apparmor.d/abstractions/ubuntu-helpers
+++ b/profiles/apparmor.d/abstractions/ubuntu-helpers
@ -46,7 +46,9 @@ profile sanitized_helper {
  # Allow exec of anything, but under this profile. Allow transition
  # to other profiles if they exist.
-  /{usr/,usr/local/,}{bin,sbin}/* Pixr,
+  /{usr/,}bin/* Pixr,
  /{usr/,}sbin/* Pixr,
  /usr/local/bin/* Pixr,
  # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
  /usr/{,local/}lib*/{,**/}* Pixr,
--- a/profiles/apparmor.d/bin.ping
+++ b/profiles/apparmor.d/bin.ping
@ -10,7 +10,7 @@
 # ------------------------------------------------------------------
 #include <tunables/global>
-profile ping /{usr/,}bin/{,iputils-}ping {
+profile ping /{usr/,}bin/ping {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
@ -20,7 +20,7 @@ profile ping /{usr/,}bin/{,iputils-}ping {
  network inet raw,
  network inet6 raw,
-  /{,usr/}bin/{,iputils-}ping mixr,
+  /{,usr/}bin/ping mixr,
  /etc/modules.conf r,
  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/sbin.klogd
+++ b/profiles/apparmor.d/sbin.klogd
@ -11,7 +11,7 @@
 #include <tunables/global>
-profile klogd /{usr/,}{bin,sbin}/klogd {
+profile klogd /{usr/,}sbin/klogd {
  #include <abstractions/base>
  capability sys_admin, # for backward compatibility with kernel <= 2.6.37
@ -24,7 +24,7 @@ profile klogd /{usr/,}{bin,sbin}/klogd {
  @{PROC}/kallsyms		r,
  /dev/tty		rw,
-  /{usr/,}{bin,sbin}/klogd	rmix,
+  /{usr/,}sbin/klogd		rmix,
  /var/log/boot.msg     rwl,
  /{,var/}run/klogd.pid    krwl,
  /{,var/}run/klogd/klogd.pid krwl,
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@ -15,7 +15,7 @@
 #define this to be where syslog-ng is chrooted
@{CHROOT_BASE}=""
-profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
+profile syslog-ng /{usr/,}sbin/syslog-ng {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
@ -46,7 +46,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
  @{PROC}/kmsg r,
  /etc/hosts.deny r,
  /etc/hosts.allow r,
-  /{usr/,}{bin,sbin}/syslog-ng mr,
+  /{usr/,}sbin/syslog-ng mr,
  /sys/devices/system/cpu/online r,
  /usr/share/syslog-ng/** r,
  /var/lib/syslog-ng/syslog-ng-?????.qf rw,
--- a/profiles/apparmor.d/sbin.syslogd
+++ b/profiles/apparmor.d/sbin.syslogd
@ -11,7 +11,7 @@
 #include <tunables/global>
-profile syslogd /{usr/,}{bin,sbin}/syslogd {
+profile syslogd /{usr/,}sbin/syslogd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/consoles>
@ -32,7 +32,7 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd {
  /dev/tty*                     w,
  /dev/xconsole                 rw,
  /etc/syslog.conf              r,
-  /{usr/,}{bin,sbin}/syslogd    rmix,
+  /{usr/,}sbin/syslogd                 rmix,
  /var/log/**                   rw,
  /{,var/}run/syslogd.pid          krwl,
  /{,var/}run/utmp                 rw,
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
@ -29,14 +29,14 @@
  /run/dovecot/auth-userdb rw,
  /usr/bin/doveconf mrix,
  /usr/lib/dovecot/dovecot-lda mrix,
-  /usr/{bin,sbin}/sendmail Cx,
+  /usr/sbin/sendmail Cx,
  /usr/share/dovecot/protocols.d/ r,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.lib.dovecot.dovecot-lda>
-  profile /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
+  profile /usr/sbin/sendmail flags=(attach_disconnected) {
    # this profile is based on the usr.sbin.sendmail profile in extras
    # and should support both postfix' and sendmail's sendmail binary
@ -69,13 +69,13 @@
    /usr/lib/postfix/master Px,
    /usr/lib/postfix/showq Px,
    /usr/lib/postfix/smtpd Px,
-    /usr/{bin,sbin}/postalias Px,
+    /usr/sbin/postalias Px,
-    /usr/{bin,sbin}/postdrop Px,
+    /usr/sbin/postdrop Px,
-    /usr/{bin,sbin}/postfix Px,
+    /usr/sbin/postfix Px,
-    /usr/{bin,sbin}/postqueue Px,
+    /usr/sbin/postqueue Px,
-    /usr/{bin,sbin}/sendmail mrix,
+    /usr/sbin/sendmail mrix,
-    /usr/{bin,sbin}/sendmail.postfix mrix,
+    /usr/sbin/sendmail.postfix mrix,
-    /usr/{bin,sbin}/sendmail.sendmail mrix,
+    /usr/sbin/sendmail.sendmail mrix,
    /{var/,}run/sendmail.pid rwl,
    /{var/,}run/sm-client.pid rwl,
    /{var/,}run/utmp rw,
--- a/profiles/apparmor.d/usr.sbin.apache2
+++ b/profiles/apparmor.d/usr.sbin.apache2
@ -1,7 +1,7 @@
 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
 #include <tunables/global>
-/usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
+/usr/sbin/apache2 {
  # This profile is completely permissive.
  # It is designed to target specific applications using mod_apparmor,
--- a/profiles/apparmor.d/usr.sbin.avahi-daemon
+++ b/profiles/apparmor.d/usr.sbin.avahi-daemon
@ -1,5 +1,5 @@
 #include <tunables/global>
-/usr/{bin,sbin}/avahi-daemon {
+/usr/sbin/avahi-daemon {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/dbus>
@ -20,7 +20,7 @@
  /etc/avahi/services/ r,
  /etc/avahi/services/*.service r,
  @{PROC}/@{pid}/fd/ r,
-  /usr/{bin,sbin}/avahi-daemon mr,
+  /usr/sbin/avahi-daemon mr,
  /usr/share/avahi/introspection/*.introspect r,
  /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
  /{,var/}run/avahi-daemon/ w,
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@ -12,7 +12,7 @@
@{TFTP_DIR}=/var/tftp /srv/tftpboot
 #include <tunables/global>
-profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+/usr/sbin/dnsmasq flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/dbus>
  #include <abstractions/nameservice>
@ -26,8 +26,8 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
  network inet raw,
  network inet6 raw,
-  signal (receive) peer=/usr/{bin,sbin}/libvirtd,
+  signal (receive) peer=/usr/sbin/libvirtd,
-  ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
+  ptrace (readby) peer=/usr/sbin/libvirtd,
  owner /dev/tty rw,
@ -42,7 +42,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
  /etc/NetworkManager/dnsmasq-shared.d/ r,
  /etc/NetworkManager/dnsmasq-shared.d/* r,
-  /usr/{bin,sbin}/dnsmasq mr,
+  /usr/sbin/dnsmasq mr,
  /var/log/*dnsmasq.log w,
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@ -12,7 +12,7 @@
 #include <tunables/global>
-/usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
+/usr/sbin/dovecot flags=(attach_disconnected) {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/dovecot-common>
@ -55,7 +55,7 @@
  /usr/lib/dovecot/ssl-build-param rix,
  /usr/lib/dovecot/ssl-params mrPx,
  /usr/lib/dovecot/stats Px,
-  /usr/{bin,sbin}/dovecot mrix,
+  /usr/sbin/dovecot mrix,
  /usr/share/dovecot/protocols.d/   r,
  /usr/share/dovecot/protocols.d/** r,
  /var/lib/dovecot/ w,
--- a/profiles/apparmor.d/usr.sbin.identd
+++ b/profiles/apparmor.d/usr.sbin.identd
@ -11,7 +11,7 @@
 #include <tunables/global>
-/usr/{bin,sbin}/identd {
+/usr/sbin/identd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  capability net_bind_service,
@ -20,7 +20,7 @@
  /etc/identd.conf         r,
  /etc/identd.key          r,
  /etc/identd.pid          w,
-  /usr/{bin,sbin}/identd   rmix,
+  /usr/sbin/identd	   rmix,
  @{PROC}/net/tcp          r,
  @{PROC}/net/tcp6         r,
  /{,var/}run/identd.pid   w,
--- a/profiles/apparmor.d/usr.sbin.mdnsd
+++ b/profiles/apparmor.d/usr.sbin.mdnsd
@ -11,7 +11,7 @@
 #include <tunables/global>
-/usr/{bin,sbin}/mdnsd {
+/usr/sbin/mdnsd {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
@ -24,7 +24,7 @@
  network netlink dgram,
-  /usr/{bin,sbin}/mdnsd rmix,
+  /usr/sbin/mdnsd rmix,
  @{PROC}/net/ r,
  @{PROC}/net/unix r,
--- a/profiles/apparmor.d/usr.sbin.nmbd
+++ b/profiles/apparmor.d/usr.sbin.nmbd
@ -1,6 +1,6 @@
 #include <tunables/global>
-/usr/{bin,sbin}/nmbd {
+/usr/sbin/nmbd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/samba>
@ -9,7 +9,7 @@
  @{PROC}/sys/kernel/core_pattern r,
-  /usr/{bin,sbin}/nmbd mr,
+  /usr/sbin/nmbd mr,
  /var/cache/samba/gencache.tdb rwk,
  /var/cache/samba/gencache_notrans.tdb rwk,
--- a/profiles/apparmor.d/usr.sbin.nscd
+++ b/profiles/apparmor.d/usr.sbin.nscd
@ -10,7 +10,7 @@
 # ------------------------------------------------------------------
 #include <tunables/global>
-/usr/{bin,sbin}/nscd {
+/usr/sbin/nscd {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
@ -23,7 +23,7 @@
  /etc/netgroup r,
  /etc/nscd.conf r,
-  /usr/{bin,sbin}/nscd rmix,
+  /usr/sbin/nscd rmix,
  /{,var/}run/.nscd_socket wl,
  /{,var/}run/nscd/ rw,
  /{,var/}run/nscd/db* rwl,
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@ -11,7 +11,7 @@
 #include <tunables/global>
 #include <tunables/ntpd>
-/usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
+/usr/sbin/ntpd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
@ -40,7 +40,7 @@
  /tmp/ntp* rwl,
  /{usr/,usr/local/,}{s,}bin/ r,
-  /usr/{bin,sbin}/{,open}ntpd rmix,
+  /usr/sbin/ntpd rmix,
  /var/db/ r,
  /var/db/ntpd.drift rwl,
  /var/lib/ntp/drift rwl,
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@ -1,6 +1,6 @@
 #include <tunables/global>
-/usr/{bin,sbin}/smbd {
+/usr/sbin/smbd {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/consoles>
@ -37,8 +37,8 @@
  /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
  /usr/lib/@{multiarch}/samba/**/ r,
  /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
-  /usr/{bin,sbin}/smbd mr,
+  /usr/sbin/smbd mr,
-  /usr/{bin,sbin}/smbldap-useradd Px,
+  /usr/sbin/smbldap-useradd Px,
  /var/cache/samba/** rwk,
  /var/{cache,lib}/samba/printing/printers.tdb mrw,
  /var/lib/samba/** rwk,
--- a/profiles/apparmor.d/usr.sbin.smbldap-useradd
+++ b/profiles/apparmor.d/usr.sbin.smbldap-useradd
@ -1,7 +1,7 @@
 # Last Modified: Tue Jan  3 00:17:40 2012
 #include <tunables/global>
-/usr/{bin,sbin}/smbldap-useradd {
+/usr/sbin/smbldap-useradd {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>
@ -13,8 +13,8 @@
  /etc/shadow r,
  /etc/smbldap-tools/smbldap.conf r,
  /etc/smbldap-tools/smbldap_bind.conf r,
-  /usr/{bin,sbin}/smbldap-useradd r,
+  /usr/sbin/smbldap-useradd r,
-  /usr/{bin,sbin}/smbldap_tools.pm r,
+  /usr/sbin/smbldap_tools.pm r,
  /var/log/samba/log.smbd w,
  # Site-specific additions and overrides. See local/README for details.
--- a/profiles/apparmor.d/usr.sbin.traceroute
+++ b/profiles/apparmor.d/usr.sbin.traceroute
@ -10,7 +10,7 @@
 # ------------------------------------------------------------------
 #include <tunables/global>
-profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} {
+/usr/{sbin/traceroute,bin/traceroute.db} {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
@ -21,7 +21,8 @@ profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/tracerou
  network inet raw,
  network inet6 raw,
-  /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix,
+  /usr/sbin/traceroute mrix,
  /usr/bin/traceroute.db mrix,
  @{PROC}/net/route r,
  @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@ -1,6 +1,6 @@
 #include <tunables/global>
-/usr/{bin,sbin}/winbindd {
+/usr/sbin/winbindd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/samba>
@ -24,7 +24,7 @@
  /usr/lib*/samba/idmap/*.so mr,
  /usr/lib*/samba/nss_info/*.so mr,
  /usr/lib*/samba/pdb/*.so mr,
-  /usr/{bin,sbin}/winbindd mr,
+  /usr/sbin/winbindd mr,
  /var/cache/krb5rcache/* rw,
  /var/cache/samba/*.tdb rwk,
  /var/log/samba/log.winbindd rw,