mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 10:07:12 +00:00
profiles: update set of profiles updated in MR:1637 to use @{exec_path}
This patch updates the set of profiles updated by MR:1637, this is split off from the rest of the profile updates because that set is explicity recently set apart. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
parent
699507f90a
commit
6d0834da8e
@ -58,7 +58,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
|
|||||||
/{,usr/}bin/{bash,dash,sh} ix,
|
/{,usr/}bin/{bash,dash,sh} ix,
|
||||||
/usr/bin/xkbcomp ix,
|
/usr/bin/xkbcomp ix,
|
||||||
|
|
||||||
/usr/lib/xorg/Xorg mr,
|
@{exec_path) mr,
|
||||||
|
|
||||||
@{PROC}/cmdline r,
|
@{PROC}/cmdline r,
|
||||||
@{PROC}/@{pid}/cmdline r,
|
@{PROC}/@{pid}/cmdline r,
|
||||||
|
|||||||
@ -10,7 +10,7 @@ profile alsamixer /{usr,}/bin/alsamixer {
|
|||||||
|
|
||||||
include <abstractions/dbus-session-strict>
|
include <abstractions/dbus-session-strict>
|
||||||
|
|
||||||
/{usr,}/bin/alsamixer mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||||
|
|
||||||
|
|||||||
@ -17,7 +17,7 @@ profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/frr>
|
include <abstractions/frr>
|
||||||
|
|
||||||
/usr/lib/frr/babeld mr,
|
@{exec_path} mr,
|
||||||
@{run}/frr/babel-state w,
|
@{run}/frr/babel-state w,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
|
|||||||
@ -21,7 +21,7 @@ profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) {
|
|||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
|
||||||
|
|
||||||
/usr/lib/frr/bfdd mr,
|
@{exec_path} mr,
|
||||||
@{run}/netns/* r,
|
@{run}/netns/* r,
|
||||||
|
|
||||||
@{run}/frr/bfdd.sock w,
|
@{run}/frr/bfdd.sock w,
|
||||||
|
|||||||
@ -21,7 +21,7 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) {
|
|||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
|
||||||
/usr/lib/frr/bgpd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{run}/netns/* r,
|
@{run}/netns/* r,
|
||||||
|
|
||||||
|
|||||||
@ -22,7 +22,7 @@ profile ping /{usr/,}bin/{,iputils-}ping {
|
|||||||
network inet raw,
|
network inet raw,
|
||||||
network inet6 raw,
|
network inet6 raw,
|
||||||
|
|
||||||
/{usr/,}bin/{,iputils-}ping mixr,
|
@{exec_path} mixr,
|
||||||
/etc/modules.conf r,
|
/etc/modules.conf r,
|
||||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||||
|
|
||||||
|
|||||||
@ -19,7 +19,7 @@ profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) {
|
|||||||
|
|
||||||
capability net_raw,
|
capability net_raw,
|
||||||
|
|
||||||
/usr/lib/frr/eigrpd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/eigrpd>
|
include if exists <local/eigrpd>
|
||||||
|
|||||||
@ -17,7 +17,7 @@ profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/frr>
|
include <abstractions/frr>
|
||||||
|
|
||||||
/usr/lib/frr/fabricd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/fabricd>
|
include if exists <local/fabricd>
|
||||||
|
|||||||
@ -20,7 +20,7 @@ profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) {
|
|||||||
|
|
||||||
capability net_raw,
|
capability net_raw,
|
||||||
|
|
||||||
/usr/lib/frr/isisd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/var/lib/frr/ r,
|
/var/lib/frr/ r,
|
||||||
/var/lib/frr/isisd.json{,.sav} rw,
|
/var/lib/frr/isisd.json{,.sav} rw,
|
||||||
|
|||||||
@ -20,7 +20,7 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) {
|
|||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
|
||||||
/usr/lib/frr/nhrpd mr,
|
@{exec_path} mr,
|
||||||
/usr/bin/dash ix,
|
/usr/bin/dash ix,
|
||||||
@{PROC}/sys/net/ipv4/conf/*/send_redirects w,
|
@{PROC}/sys/net/ipv4/conf/*/send_redirects w,
|
||||||
|
|
||||||
|
|||||||
@ -21,7 +21,7 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) {
|
|||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
|
||||||
/usr/lib/frr/ospf6d mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{run}/netns/* r,
|
@{run}/netns/* r,
|
||||||
|
|
||||||
|
|||||||
@ -21,7 +21,7 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) {
|
|||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability sys_admin,
|
capability sys_admin,
|
||||||
|
|
||||||
/usr/lib/frr/ospfd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{run}/netns/* r,
|
@{run}/netns/* r,
|
||||||
|
|
||||||
|
|||||||
@ -17,7 +17,7 @@ profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/frr>
|
include <abstractions/frr>
|
||||||
|
|
||||||
/usr/lib/frr/pathd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/pathd>
|
include if exists <local/pathd>
|
||||||
|
|||||||
@ -17,7 +17,7 @@ profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/frr>
|
include <abstractions/frr>
|
||||||
|
|
||||||
/usr/lib/frr/pbrd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/pbrd>
|
include if exists <local/pbrd>
|
||||||
|
|||||||
@ -20,7 +20,7 @@ profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) {
|
|||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
|
||||||
/usr/lib/frr/pim6d mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/pim6d>
|
include if exists <local/pim6d>
|
||||||
|
|||||||
@ -20,7 +20,7 @@ profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) {
|
|||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
|
||||||
/usr/lib/frr/pimd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/pimd>
|
include if exists <local/pimd>
|
||||||
|
|||||||
@ -18,7 +18,7 @@ profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) {
|
|||||||
include <abstractions/frr>
|
include <abstractions/frr>
|
||||||
include <abstractions/frr-snmp>
|
include <abstractions/frr-snmp>
|
||||||
|
|
||||||
/usr/lib/frr/ripd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/ripd>
|
include if exists <local/ripd>
|
||||||
|
|||||||
@ -17,7 +17,7 @@ profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/frr>
|
include <abstractions/frr>
|
||||||
|
|
||||||
/usr/lib/frr/ripngd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/ripngd>
|
include if exists <local/ripngd>
|
||||||
|
|||||||
@ -17,7 +17,7 @@ profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/frr>
|
include <abstractions/frr>
|
||||||
|
|
||||||
/usr/lib/frr/staticd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/frr/zebra.conf r,
|
/etc/frr/zebra.conf r,
|
||||||
|
|
||||||
|
|||||||
@ -28,7 +28,7 @@ profile tnftp /usr/bin/tnftp {
|
|||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
/usr/bin/tnftp mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# required for the pager (less, more) to work
|
# required for the pager (less, more) to work
|
||||||
file Cx /usr/bin/dash,
|
file Cx /usr/bin/dash,
|
||||||
|
|||||||
@ -17,7 +17,7 @@ profile transmission-daemon /usr/bin/transmission-daemon flags=(complain,attach_
|
|||||||
network inet stream,
|
network inet stream,
|
||||||
network inet6 stream,
|
network inet6 stream,
|
||||||
|
|
||||||
/usr/bin/transmission-daemon mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
@{PROC}/sys/kernel/random/uuid r,
|
@{PROC}/sys/kernel/random/uuid r,
|
||||||
@ -44,7 +44,7 @@ profile transmission-cli /usr/bin/transmission-cli flags=(complain) {
|
|||||||
include <abstractions/transmission-common>
|
include <abstractions/transmission-common>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
|
|
||||||
/usr/bin/transmission-cli mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/transmission>
|
include if exists <local/transmission>
|
||||||
@ -57,7 +57,7 @@ profile transmission-gtk /usr/bin/transmission-gtk flags=(complain,attach_discon
|
|||||||
include <abstractions/dconf>
|
include <abstractions/dconf>
|
||||||
include <abstractions/gnome>
|
include <abstractions/gnome>
|
||||||
|
|
||||||
/usr/bin/transmission-gtk mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner @{run}/user/*/dconf/user w,
|
owner @{run}/user/*/dconf/user w,
|
||||||
|
|
||||||
@ -76,7 +76,7 @@ profile transmission-qt /usr/bin/transmission-qt flags=(complain) {
|
|||||||
include <abstractions/qt5>
|
include <abstractions/qt5>
|
||||||
include <abstractions/qt5-settings-write>
|
include <abstractions/qt5-settings-write>
|
||||||
|
|
||||||
/usr/bin/transmission-qt mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/transmission>
|
include if exists <local/transmission>
|
||||||
|
|||||||
@ -17,7 +17,7 @@ profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) {
|
|||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/frr>
|
include <abstractions/frr>
|
||||||
|
|
||||||
/usr/lib/frr/vrrpd mr,
|
@{exec_path} mr,
|
||||||
# Site-specific additions and overrides. See local/README for details.
|
# Site-specific additions and overrides. See local/README for details.
|
||||||
include if exists <local/vrrpd>
|
include if exists <local/vrrpd>
|
||||||
}
|
}
|
||||||
|
|||||||
@ -113,7 +113,7 @@ profile wpa_supplicant /usr/sbin/wpa_supplicant {
|
|||||||
member={ReleaseName,RequestName}
|
member={ReleaseName,RequestName}
|
||||||
peer=(name=org.freedesktop.DBus),
|
peer=(name=org.freedesktop.DBus),
|
||||||
|
|
||||||
/usr/sbin/wpa_supplicant mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
owner /dev/rfkill r,
|
owner /dev/rfkill r,
|
||||||
owner /etc/group r,
|
owner /etc/group r,
|
||||||
|
|||||||
@ -34,7 +34,7 @@ profile zgrep /usr/bin/{x,}zgrep {
|
|||||||
/usr/bin/zgrep Cx -> helper,
|
/usr/bin/zgrep Cx -> helper,
|
||||||
/usr/bin/zstd Cx -> helper,
|
/usr/bin/zstd Cx -> helper,
|
||||||
owner /tmp/zgrep* rw,
|
owner /tmp/zgrep* rw,
|
||||||
/usr/bin/{x,}zgrep r,
|
@{exec_path} r,
|
||||||
|
|
||||||
deny /etc/nsswitch.conf r,
|
deny /etc/nsswitch.conf r,
|
||||||
deny /etc/passwd r,
|
deny /etc/passwd r,
|
||||||
|
|||||||
@ -13,7 +13,7 @@ profile znc /usr/bin/znc {
|
|||||||
|
|
||||||
network tcp,
|
network tcp,
|
||||||
|
|
||||||
/usr/bin/znc mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{system_share_dirs}/znc/** r,
|
@{system_share_dirs}/znc/** r,
|
||||||
|
|
||||||
|
|||||||
@ -110,7 +110,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
|
|||||||
member=GetAll
|
member=GetAll
|
||||||
peer=(label=unconfined),
|
peer=(label=unconfined),
|
||||||
|
|
||||||
@{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# should maybe be in abstractions
|
# should maybe be in abstractions
|
||||||
/etc/ r,
|
/etc/ r,
|
||||||
|
|||||||
@ -26,7 +26,7 @@ include <tunables/global>
|
|||||||
|
|
||||||
capability dac_override,
|
capability dac_override,
|
||||||
|
|
||||||
/usr/X11R6/bin/acroread mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/{usr/,}bin/basename mixr,
|
/{usr/,}bin/basename mixr,
|
||||||
/{usr/,}bin/bash mix,
|
/{usr/,}bin/bash mix,
|
||||||
|
|||||||
@ -19,7 +19,7 @@ include <tunables/global>
|
|||||||
# network service ;)
|
# network service ;)
|
||||||
capability net_bind_service,
|
capability net_bind_service,
|
||||||
|
|
||||||
/usr/bin/svnserve mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/srv/svn/*/conf/* r,
|
/srv/svn/*/conf/* r,
|
||||||
/srv/svn/*/format r,
|
/srv/svn/*/format r,
|
||||||
|
|||||||
@ -41,7 +41,7 @@ include <tunables/global>
|
|||||||
@{HOME}/ r,
|
@{HOME}/ r,
|
||||||
@{HOME}/.realplayerrc rw,
|
@{HOME}/.realplayerrc rw,
|
||||||
|
|
||||||
/usr/lib/RealPlayer10/realplay mr,
|
@{exec_path} mr,
|
||||||
/usr/lib/RealPlayer10/** mr,
|
/usr/lib/RealPlayer10/** mr,
|
||||||
/usr/lib/RealPlayer10/realplay.bin Pxr,
|
/usr/lib/RealPlayer10/realplay.bin Pxr,
|
||||||
/usr/lib/firefox/firefox.sh Pxr,
|
/usr/lib/firefox/firefox.sh Pxr,
|
||||||
|
|||||||
@ -33,7 +33,7 @@ include <tunables/global>
|
|||||||
/usr/lib/GConf/**.so mr,
|
/usr/lib/GConf/**.so mr,
|
||||||
/usr/lib/GConf/2/gconfd-2 Pxr,
|
/usr/lib/GConf/2/gconfd-2 Pxr,
|
||||||
/usr/lib64/GConf/2/gconfd-2 Pxr,
|
/usr/lib64/GConf/2/gconfd-2 Pxr,
|
||||||
/usr/lib/evolution-data-server/evolution-data-server-1.10 mr,
|
@{exec_path} mr,
|
||||||
/usr/lib/evolution-data-server/evolution-data-server-* rmix,
|
/usr/lib/evolution-data-server/evolution-data-server-* rmix,
|
||||||
/usr/lib/evolution-data-server*/extensions r,
|
/usr/lib/evolution-data-server*/extensions r,
|
||||||
/usr/lib/evolution-data-server*/extensions/lib*.so r,
|
/usr/lib/evolution-data-server*/extensions/lib*.so r,
|
||||||
|
|||||||
@ -19,7 +19,7 @@ include <tunables/global>
|
|||||||
@{HOME}/.plan r,
|
@{HOME}/.plan r,
|
||||||
@{HOME}/.project r,
|
@{HOME}/.project r,
|
||||||
|
|
||||||
/usr/sbin/in.fingerd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/usr/bin/finger mix,
|
/usr/bin/finger mix,
|
||||||
/var/log/lastlog r,
|
/var/log/lastlog r,
|
||||||
|
|||||||
@ -21,7 +21,7 @@ include <tunables/global>
|
|||||||
capability dac_override,
|
capability dac_override,
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
/usr/sbin/oidentd mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
/etc/oidentd.conf r,
|
/etc/oidentd.conf r,
|
||||||
/etc/oidentd_masq.conf r,
|
/etc/oidentd_masq.conf r,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user