Use @{sys} tunable in profiles and abstractions

Commit aa065287909f6a3115bfaf02bee85d323e46b706 made @{sys} tunable available by default. Update profiles and abstractions to actually use @{sys} tunable for better confinement in the future (when @{sys} becomes kernel var). Closes LP#1728551
2025-08-22 10:07:12 +00:00 · 2018-11-08 20:00:45 +02:00 · 2018-11-08 20:00:45 +02:00 · 41ff006f3d
commit 41ff006f3d
parent 7fc843d8d0
13 changed files with 48 additions and 49 deletions
--- a/profiles/apparmor.d/abstractions/base
+++ b/profiles/apparmor.d/abstractions/base
@ -90,8 +90,8 @@
  @{PROC}/meminfo                r,
  @{PROC}/stat                   r,
  @{PROC}/cpuinfo                r,
-  /sys/devices/system/cpu/       r,
+  @{sys}/devices/system/cpu/       r,
-  /sys/devices/system/cpu/online r,
+  @{sys}/devices/system/cpu/online r,
  # glibc's *printf protections read the maps file
  @{PROC}/@{pid}/{maps,auxv,status} r,
--- a/profiles/apparmor.d/abstractions/dri-enumerate
+++ b/profiles/apparmor.d/abstractions/dri-enumerate
@ -4,6 +4,5 @@
 # needs to enumerate graphic devices (as with drmParsePciDeviceInfo() from
 # libdrm).
-  # TODO: use @{sys} after it's moved into tunables/kernelvars (LP: #1728551)
+  @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
  /sys/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
--- a/profiles/apparmor.d/abstractions/nvidia
+++ b/profiles/apparmor.d/abstractions/nvidia
@ -17,7 +17,7 @@
  @{PROC}/driver/nvidia/params r,
  @{PROC}/modules r,
-  /sys/devices/system/memory/block_size_bytes r,
+  @{sys}/devices/system/memory/block_size_bytes r,
  owner @{HOME}/.nv/ w,
  owner @{HOME}/.nv/GLCache/ rw,
--- a/profiles/apparmor.d/abstractions/opencl-common
+++ b/profiles/apparmor.d/abstractions/opencl-common
@ -4,7 +4,7 @@
  # System files
  /etc/OpenCL/** r,
-  /sys/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
+  @{sys}/bus/pci/devices/ r, # libpocl.so -> libhwlock.so, libnvidia-opencl.so, beignet/libcl.so -> libdrm_intel.so
-  /sys/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
+  @{sys}/devices/system/node/ r, # for clGetPlatformIDs() from libOpenCL.so
-  /sys/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
+  @{sys}/devices/system/node/node[0-9]*/meminfo r, # for clGetPlatformIDs() from libOpenCL.so
--- a/profiles/apparmor.d/abstractions/opencl-intel
+++ b/profiles/apparmor.d/abstractions/opencl-intel
@ -12,6 +12,6 @@
  # System files
  /dev/dri/card[0-9]* rw, # beignet/libcl.so
-  /sys/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
+  @{sys}/devices/pci[0-9]*/**/{class,config,resource,revision} r, # libcl.so -> libdrm_intel.so -> libpciaccess.so (move to dri-enumerate ?)
  /usr/lib/@{multiarch}/beignet/** r,
--- a/profiles/apparmor.d/abstractions/opencl-nvidia
+++ b/profiles/apparmor.d/abstractions/opencl-nvidia
@ -16,8 +16,8 @@
  # libnvidia-opencl.so rules:
  /dev/nvidia-uvm rw,
  /dev/nvidia-uvm-tools rw,
-  /sys/devices/pci[0-9]*/**/config r,
+  @{sys}/devices/pci[0-9]*/**/config r,
-  /sys/devices/system/memory/block_size_bytes r,
+  @{sys}/devices/system/memory/block_size_bytes r,
  /usr/share/nvidia/** r,
  @{PROC}/devices r,
  @{PROC}/sys/vm/mmap_min_addr r,
--- a/profiles/apparmor.d/abstractions/opencl-pocl
+++ b/profiles/apparmor.d/abstractions/opencl-pocl
@ -11,22 +11,22 @@
  # System files
  / r, # libpocl.so -> libhwloc.so
-  /sys/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
+  @{sys}/bus/pci/slots/ r, # libpocl.so -> hwloc_topology_load() from libhwloc.so
-  /sys/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
+  @{sys}/bus/{cpu,node}/devices/ r, # libpocl.so -> libhwlock.so
-  /sys/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  @{sys}/class/net/ r, # libpocl.so -> hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
-  /sys/devices/pci[0-9]*/**/ r, # for libpocl ->  hwloc_linux_lookup_block_class() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/**/ r, # for libpocl ->  hwloc_linux_lookup_block_class() from libhwloc.so
-  /sys/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/**/block/*/dev r, # libpocl.so -> hwloc_linux_lookup_host_block_class() from libhwloc.so
-  /sys/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
+  @{sys}/devices/pci[0-9]*/**/{class,local_cpus} r, # libpocl.so -> libhwlock.so
-  /sys/devices/pci[0-9]*/*/net/*/address r, # libpocl.so ->  hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
+  @{sys}/devices/pci[0-9]*/*/net/*/address r, # libpocl.so ->  hwloc_pci_traverse_lookuposdevices_cb() from libhwloc.so
-  /sys/devices/system/cpu/ r, # libpocl.so -> libnuma.so
+  @{sys}/devices/system/cpu/ r, # libpocl.so -> libnuma.so
-  /sys/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/cache/index[0-9]*/* r, # libpocl.so -> libhwloc.so
-  /sys/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/online r, # libpocl.so -> libhwlock.so
-  /sys/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
+  @{sys}/devices/system/cpu/cpu[0-9]*/topology/* r, # *_siblings, physical_package_id and lot's of others, for libpocl.so -> libhwloc.so
-  /sys/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/* r, # for clGetPlatformIDs() from libpocl.so
-  /sys/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
+  @{sys}/devices/system/cpu/possible r, # libpocl.so -> libhwloc.so
-  /sys/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
+  @{sys}/devices/virtual/dmi/id/{,*} r, # libpocl.so -> libhwloc.so
-  /sys/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
+  @{sys}/fs/cgroup/cpuset/cpuset.{cpus,mems} r, # libpocl.so -> libhwloc.so
-  /sys/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
+  @{sys}/kernel/mm/hugepages{/,/**} r, # libpocl.so -> libhwloc.so
  /usr/share/pocl/** r,
  /{,var/}run/udev/data/*:* r, # libpocl.so -> hwloc_linux_block_class_fillinfos() from libhwloc.so
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
@ -41,8 +41,8 @@
    @{PROC}/@{pid}/ r,
    @{PROC}/@{pid}/fd/ r,
    @{PROC}/filesystems r,
-    /sys/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/ r,
-    /sys/devices/system/cpu/** r,
+    @{sys}/devices/system/cpu/** r,
    /usr/share/** r,
    /var/lib/dbus/machine-id r,
@ -88,8 +88,8 @@
    @{PROC}/@{pid}/ r,
    @{PROC}/@{pid}/fd/ r,
    @{PROC}/filesystems r,
-    /sys/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/ r,
-    /sys/devices/system/cpu/** r,
+    @{sys}/devices/system/cpu/** r,
    /usr/share/** r,
    /var/lib/dbus/machine-id r,
--- a/profiles/apparmor.d/abstractions/video
+++ b/profiles/apparmor.d/abstractions/video
@ -2,5 +2,5 @@
 # video device access
  # System devices
-  /sys/class/video4linux r,
+  @{sys}/class/video4linux r,
-  /sys/class/video4linux/** r,
+  @{sys}/class/video4linux/** r,
--- a/profiles/apparmor.d/apache2.d/phpsysinfo
+++ b/profiles/apparmor.d/apache2.d/phpsysinfo
@ -20,13 +20,13 @@
    /etc/phpsysinfo/config.php r,
    /etc/udev/udev.conf r,
    @{PROC}/** r,
-    /sys/bus/ r,
+    @{sys}/bus/ r,
-    /sys/bus/pci/devices/ r,
+    @{sys}/bus/pci/devices/ r,
-    /sys/bus/pci/slots/ r,
+    @{sys}/bus/pci/slots/ r,
-    /sys/bus/pci/slots/** r,
+    @{sys}/bus/pci/slots/** r,
-    /sys/bus/usb/devices/ r,
+    @{sys}/bus/usb/devices/ r,
-    /sys/class/ r,
+    @{sys}/class/ r,
-    /sys/devices/** r,
+    @{sys}/devices/** r,
    /usr/bin/ r,
    /usr/bin/apt-cache ixr,
    /usr/bin/dpkg-query ixr,
--- a/profiles/apparmor.d/nvidia_modprobe
+++ b/profiles/apparmor.d/nvidia_modprobe
@ -24,8 +24,8 @@ profile nvidia_modprobe {
  /dev/nvidia-uvm w,
  /dev/nvidia-uvm-tools w,
-  /sys/bus/pci/devices/ r,
+  @{sys}/bus/pci/devices/ r,
-  /sys/devices/pci[0-9]*/**/config r,
+  @{sys}/devices/pci[0-9]*/**/config r,
  @{PROC}/devices r,
  @{PROC}/modules r,
  @{PROC}/sys/kernel/modprobe r,
@ -51,9 +51,9 @@ profile nvidia_modprobe {
    /etc/modprobe.d/{,*.conf} r,
    /etc/nvidia/current/*.conf r,
-    /sys/module/ipmi_devintf/initstate r,
+    @{sys}/module/ipmi_devintf/initstate r,
-    /sys/module/ipmi_msghandler/initstate r,
+    @{sys}/module/ipmi_msghandler/initstate r,
-    /sys/module/nvidia/initstate r,
+    @{sys}/module/nvidia/initstate r,
    @{PROC}/cmdline r,
  }
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@ -47,7 +47,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
  /etc/hosts.deny r,
  /etc/hosts.allow r,
  /{usr/,}{bin,sbin}/syslog-ng mr,
-  /sys/devices/system/cpu/online r,
+  @{sys}/devices/system/cpu/online r,
  /usr/share/syslog-ng/** r,
  /var/lib/syslog-ng/syslog-ng-?????.qf rw,
  # chrooted applications
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@ -107,9 +107,9 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
    owner @{PROC}/@{pid}/net/psched r,
    owner @{PROC}/@{pid}/status r,
-    /sys/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/ r,
-    /sys/devices/system/node/ r,
+    @{sys}/devices/system/node/ r,
-    /sys/devices/system/node/*/meminfo r,
+    @{sys}/devices/system/node/*/meminfo r,
    # libvirt lease and status files for dnsmasq
    /var/lib/libvirt/dnsmasq/*.leases  rw,