From 2438179b76a4a66cf50164874003cf823f8900cf Mon Sep 17 00:00:00 2001
From: Vincas Dargis <vindrg@gmail.com>
Date: Thu, 8 Nov 2018 20:00:45 +0200
Subject: [PATCH] Use @{sys} tunable in profiles and abstractions

Commit aa065287909f6a3115bfaf02bee85d323e46b706 made @{sys} tunable
available by default.

Update profiles and abstractions to actually use @{sys} tunable for
better confinement in the future (when @{sys} becomes kernel var).

Closes LP#1728551
---
 profiles/apparmor.d/abstractions/base         |  4 +--
 .../apparmor.d/abstractions/dri-enumerate     |  3 +-
 profiles/apparmor.d/abstractions/nvidia       |  2 +-
 .../apparmor.d/abstractions/opencl-common     |  6 ++--
 profiles/apparmor.d/abstractions/opencl-intel |  2 +-
 .../apparmor.d/abstractions/opencl-nvidia     |  4 +--
 profiles/apparmor.d/abstractions/opencl-pocl  | 32 +++++++++----------
 .../abstractions/ubuntu-browsers.d/java       |  8 ++---
 profiles/apparmor.d/abstractions/video        |  4 +--
 profiles/apparmor.d/abstractions/vulkan       |  2 +-
 profiles/apparmor.d/apache2.d/phpsysinfo      | 14 ++++----
 profiles/apparmor.d/nvidia_modprobe           | 10 +++---
 profiles/apparmor.d/sbin.syslog-ng            |  2 +-
 profiles/apparmor.d/usr.sbin.dnsmasq          |  6 ++--
 14 files changed, 49 insertions(+), 50 deletions(-)

diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base
index 533bfb011..2a39ee04c 100644
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@@ -90,8 +90,8 @@
   @{PROC}/meminfo                r,
   @{PROC}/stat                   r,
   @{PROC}/cpuinfo                r,
-  /sys/devices/system/cpu/       r,
-  /sys/devices/system/cpu/online r,
+  @{sys}/devices/system/cpu/       r,
+  @{sys}/devices/system/cpu/online r,
 
   # glibc's *printf protections read the maps file
   @{PROC}/@{pid}/{maps,auxv,status} r,
diff --git a/profiles/apparmor.d/abstractions/dri-enumerate b/profiles/apparmor.d/abstractions/dri-enumerate
index 1162a08e2..e101be5cb 100644
--- a/profiles/apparmor.d/abstractions/dri-enumerate
+++ b/profiles/apparmor.d/abstractions/dri-enumerate
@@ -4,6 +4,5 @@
 # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
 # libdrm).
 
-  # TODO: use @{sys} after it's moved into tunables/kernelvars (LP: #1728551)
-  /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
+  @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
 
diff --git a/profiles/apparmor.d/abstractions/nvidia b/profiles/apparmor.d/abstractions/nvidia
index b65e8a01b..b01ef8b55 100644
--- a/profiles/apparmor.d/abstractions/nvidia
+++ b/profiles/apparmor.d/abstractions/nvidia
@@ -19,7 +19,7 @@
   @{PROC}/driver/nvidia/params r,
   @{PROC}/modules r,
 
-  /sys/devices/system/memory/block_size_bytes r,
+  @{sys}/devices/system/memory/block_size_bytes r,
 
   owner @{HOME}/.nv/ w,
   owner @{HOME}/.nv/GLCache/ rw,
diff --git a/profiles/apparmor.d/abstractions/opencl-common b/profiles/apparmor.d/abstractions/opencl-common
index bbf773174..0ad3d559a 100644
--- a/profiles/apparmor.d/abstractions/opencl-common
+++ b/profiles/apparmor.d/abstractions/opencl-common
@@ -4,7 +4,7 @@
   # System files
 
   /etc/OpenCL/** r,
-  /sys/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
-  /sys/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
-  /sys/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
+  @{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
+  @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
+  @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
 
diff --git a/profiles/apparmor.d/abstractions/opencl-intel b/profiles/apparmor.d/abstractions/opencl-intel
index db414c5b2..353eeca29 100644
--- a/profiles/apparmor.d/abstractions/opencl-intel
+++ b/profiles/apparmor.d/abstractions/opencl-intel
@@ -12,6 +12,6 @@
   # System files
 
   /dev/dri/card[0-9]* rw, # beignet/libcl.so
-  /sys/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
+  @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
   /usr/lib/@{multiarch}/beignet/** r,
 
diff --git a/profiles/apparmor.d/abstractions/opencl-nvidia b/profiles/apparmor.d/abstractions/opencl-nvidia
index 5fcfab987..8a4764ecb 100644
--- a/profiles/apparmor.d/abstractions/opencl-nvidia
+++ b/profiles/apparmor.d/abstractions/opencl-nvidia
@@ -16,8 +16,8 @@
   # libnvidia-opencl.so rules:
   /dev/nvidia-uvm rw,
   /dev/nvidia-uvm-tools rw,
-  /sys/devices/pci[0-9]*/**/config r,
-  /sys/devices/system/memory/block_size_bytes r,
+  @{sys}/devices/pci[0-9]*/**/config r,
+  @{sys}/devices/system/memory/block_size_bytes r,
   /usr/share/nvidia/** r,
   @{PROC}/devices r,
   @{PROC}/sys/vm/mmap_min_addr r,
diff --git a/profiles/apparmor.d/abstractions/opencl-pocl b/profiles/apparmor.d/abstractions/opencl-pocl
index d47823947..054689abc 100644
--- a/profiles/apparmor.d/abstractions/opencl-pocl
+++ b/profiles/apparmor.d/abstractions/opencl-pocl
@@ -11,22 +11,22 @@
   # System files
 
   / r, # libpocl.so -> libhwloc.so
-  /sys/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
-  /sys/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
-  /sys/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
-  /sys/devices/pci[0-9]*/**/ r, # for libpocl ->  hwloc_linux_lookup_block_class() from libhwloc.so
-  /sys/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
-  /sys/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
-  /sys/devices/pci[0-9]*/*/net/*/address r, # libpocl.so ->  hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
-  /sys/devices/system/cpu/ r, # libpocl.so -> libnuma.so
-  /sys/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
-  /sys/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
-  /sys/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
-  /sys/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
-  /sys/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
-  /sys/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
-  /sys/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
-  /sys/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
+  @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
+  @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
+  @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/**/ r, # for libpocl ->  hwloc_linux_lookup_block_class() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
+  @{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so ->  hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
+  @{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
+  @{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
+  @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
+  @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
   /usr/share/pocl/** r,
   /{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
 
diff --git a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
index 4a3a54a32..8193a5c9f 100644
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
@@ -41,8 +41,8 @@
     @{PROC}/@{pid}/ r,
     @{PROC}/@{pid}/fd/ r,
     @{PROC}/filesystems r,
-    /sys/devices/system/cpu/ r,
-    /sys/devices/system/cpu/** r,
+    @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/** r,
     /usr/share/** r,
     /var/lib/dbus/machine-id r,
 
@@ -88,8 +88,8 @@
     @{PROC}/@{pid}/ r,
     @{PROC}/@{pid}/fd/ r,
     @{PROC}/filesystems r,
-    /sys/devices/system/cpu/ r,
-    /sys/devices/system/cpu/** r,
+    @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/** r,
     /usr/share/** r,
     /var/lib/dbus/machine-id r,
 
diff --git a/profiles/apparmor.d/abstractions/video b/profiles/apparmor.d/abstractions/video
index 61cebaed6..00a834681 100644
--- a/profiles/apparmor.d/abstractions/video
+++ b/profiles/apparmor.d/abstractions/video
@@ -2,5 +2,5 @@
 # video device access
 
   # System devices
-  /sys/class/video4linux r,
-  /sys/class/video4linux/** r,
+  @{sys}/class/video4linux r,
+  @{sys}/class/video4linux/** r,
diff --git a/profiles/apparmor.d/abstractions/vulkan b/profiles/apparmor.d/abstractions/vulkan
index 4e991dfe2..39b5d5ff9 100644
--- a/profiles/apparmor.d/abstractions/vulkan
+++ b/profiles/apparmor.d/abstractions/vulkan
@@ -5,7 +5,7 @@
   /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
   /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
   # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
-  /sys/devices/pci[0-9]*/*/drm/ r,
+  @{sys}/devices/pci[0-9]*/*/drm/ r,
   /usr/share/vulkan/icd.d/{,*.json} r,
   /usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
 
diff --git a/profiles/apparmor.d/apache2.d/phpsysinfo b/profiles/apparmor.d/apache2.d/phpsysinfo
index 669f7a491..af730910e 100644
--- a/profiles/apparmor.d/apache2.d/phpsysinfo
+++ b/profiles/apparmor.d/apache2.d/phpsysinfo
@@ -20,13 +20,13 @@
     /etc/phpsysinfo/config.php r,
     /etc/udev/udev.conf r,
     @{PROC}/** r,
-    /sys/bus/ r,
-    /sys/bus/pci/devices/ r,
-    /sys/bus/pci/slots/ r,
-    /sys/bus/pci/slots/** r,
-    /sys/bus/usb/devices/ r,
-    /sys/class/ r,
-    /sys/devices/** r,
+    @{sys}/bus/ r,
+    @{sys}/bus/pci/devices/ r,
+    @{sys}/bus/pci/slots/ r,
+    @{sys}/bus/pci/slots/** r,
+    @{sys}/bus/usb/devices/ r,
+    @{sys}/class/ r,
+    @{sys}/devices/** r,
     /usr/bin/ r,
     /usr/bin/apt-cache ixr,
     /usr/bin/dpkg-query ixr,
diff --git a/profiles/apparmor.d/nvidia_modprobe b/profiles/apparmor.d/nvidia_modprobe
index 907820fba..01f714ca7 100644
--- a/profiles/apparmor.d/nvidia_modprobe
+++ b/profiles/apparmor.d/nvidia_modprobe
@@ -24,8 +24,8 @@ profile nvidia_modprobe {
 
   /dev/nvidia-uvm w,
   /dev/nvidia-uvm-tools w,
-  /sys/bus/pci/devices/ r,
-  /sys/devices/pci[0-9]*/**/config r,
+  @{sys}/bus/pci/devices/ r,
+  @{sys}/devices/pci[0-9]*/**/config r,
   @{PROC}/devices r,
   @{PROC}/modules r,
   @{PROC}/sys/kernel/modprobe r,
@@ -51,9 +51,9 @@ profile nvidia_modprobe {
 
     /etc/modprobe.d/{,*.conf} r,
     /etc/nvidia/current/*.conf r,
-    /sys/module/ipmi_devintf/initstate r,
-    /sys/module/ipmi_msghandler/initstate r,
-    /sys/module/nvidia/initstate r,
+    @{sys}/module/ipmi_devintf/initstate r,
+    @{sys}/module/ipmi_msghandler/initstate r,
+    @{sys}/module/nvidia/initstate r,
     @{PROC}/cmdline r,
   }
 
diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng
index b179b3e6c..12f1b6dc8 100644
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@@ -47,7 +47,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
   /etc/hosts.deny r,
   /etc/hosts.allow r,
   /{usr/,}{bin,sbin}/syslog-ng mr,
-  /sys/devices/system/cpu/online r,
+  @{sys}/devices/system/cpu/online r,
   /usr/share/syslog-ng/** r,
   /var/lib/syslog-ng/syslog-ng-?????.qf rw,
   # chrooted applications
diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
index f2e6847d1..fba51259d 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -107,9 +107,9 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
     owner @{PROC}/@{pid}/net/psched r,
     owner @{PROC}/@{pid}/status r,
 
-    /sys/devices/system/cpu/ r,
-    /sys/devices/system/node/ r,
-    /sys/devices/system/node/*/meminfo r,
+    @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/node/ r,
+    @{sys}/devices/system/node/*/meminfo r,
 
     # libvirt lease and status files for dnsmasq
     /var/lib/libvirt/dnsmasq/*.leases  rw,