Subject: profiles - finish @{PROC} conversion

This patch finishes the conversion from /proc to the @{PROC} tunable within profiles and abstractions. It also adjusts some of the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict things to just the /proc/pid directories. (A followup patch will convert these to use @{pid} from the kernelvars tunable.) Signed-off-by: Steve Beattie <sbeattie@ubuntu.com> Acked-By: Jamie Strandboge <jamie@canonical.com>
2025-08-31 06:16:03 +00:00 · 2013-01-02 15:31:01 -08:00
parent 39b1aa98eb
commit 3810ecb08b
8 changed files with 11 additions and 11 deletions
--- a/profiles/apparmor.d/abstractions/apache2-common
+++ b/profiles/apparmor.d/abstractions/apache2-common
@@ -11,7 +11,7 @@
  /usr/share/apache2/** r,

  # changehat itself
-  /proc/*/attr/current                        w,
+  @{PROC}/[0-9]*/attr/current                        w,

  # htaccess files - for what ever it is worth
  /**/.htaccess            r,
--- a/profiles/apparmor.d/apache2.d/phpsysinfo
+++ b/profiles/apparmor.d/apache2.d/phpsysinfo
@@ -17,7 +17,7 @@
    /etc/lsb-release r,
    /etc/mtab r,
    /etc/phpsysinfo/config.php r,
-    /proc/** r,
+    @{PROC}/** r,
    /sys/bus/pci/devices/ r,
    /sys/devices/** r,
    /usr/bin/apt-cache ixr,
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
@@ -11,7 +11,7 @@
  capability chown,
  capability dac_override,

-  /proc/*/mounts r,
+  @{PROC}/[0-9]*/mounts r,
  /usr/lib/dovecot/dovecot-auth mr,
  /{,var/}run/dovecot/** rw,
  # required for postfix+dovecot integration
--- a/profiles/apparmor.d/usr.sbin.avahi-daemon
+++ b/profiles/apparmor.d/usr.sbin.avahi-daemon
@@ -17,7 +17,7 @@
  /etc/avahi/hosts r,
  /etc/avahi/services/ r,
  /etc/avahi/services/*.service r,
-  /proc/*/fd/ r,
+  @{PROC}/[0-9]*/fd/ r,
  /usr/sbin/avahi-daemon mr,
  /usr/share/avahi/introspection/*.introspect r,
  /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
--- a/profiles/apparmor.d/usr.sbin.nmbd
+++ b/profiles/apparmor.d/usr.sbin.nmbd
@@ -7,7 +7,7 @@

  capability net_bind_service,

-  /proc/sys/kernel/core_pattern r,
+  @{PROC}/sys/kernel/core_pattern r,

  /usr/sbin/nmbd mr,

--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -24,8 +24,8 @@
  /etc/netgroup r,
  /etc/printcap r,
  /etc/samba/* rwk,
-  /proc/*/mounts r,
-  /proc/sys/kernel/core_pattern r,
+  @{PROC}/[0-9]*/mounts r,
+  @{PROC}/sys/kernel/core_pattern r,
  /usr/lib*/samba/vfs/*.so mr,
  /usr/lib*/samba/charset/*.so mr,
  /usr/lib*/samba/auth/script.so mr,
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@@ -43,8 +43,8 @@
  /etc/cups/yes/* rw,
  /etc/hosts.allow r,
  /etc/hosts.deny r,
-  /proc/meminfo r,
-  /proc/sys/dev/parport/** r,
+  @{PROC}/meminfo r,
+  @{PROC}/sys/dev/parport/** r,
  /sys/class/usb r,
  /usr/bin/perl ix,
  /usr/bin/smbspool ixr,
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -40,8 +40,8 @@
  /etc/hosts.deny r,
  /etc/modules.conf r,
  /etc/ssh/* r,
-  /proc/*/oom_adj rw,
-  /proc/*/oom_score_adj rw,
+  @{PROC}/[0-9]*/oom_adj rw,
+  @{PROC}/[0-9]*/oom_score_adj rw,
  /usr/sbin/sshd mrix,
  /var/log/btmp r,
  /{,var/}run w,