diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 9533155c8..1d7f714d3 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -1802,8 +1802,29 @@ site-specific customization of B<@{HOMEDIRS}>, F for B<@{multiarch}> and F for B<@{XDG_*}>. -The special B<@{profile_name}> variable is set to the profile name and may be -used in all policy. +=head3 Special builtin variables + +AppArmor has some builtin variables that are not declared in policy +but are available to be used in policy. + + @{profile_name} - the profile name + @{attach_path} - the profile exec attachment path - if one has been defined + @{exec_path} - the executables path + + +The B<@{profile_name}> variable is set to the profile name and may be +used in all policy. It is only defined when used inside of a profile. + +The B<@{attach_path}> variable is only defined if the profile will attach +to an executable. It will be the path attachment specification or +if that is not defined it may be the profile's name if the profile name +is a path. + +The B<@{exec_path}> variable like B<@{attach_path}> is only defined if +the profile attaches to an executable. If the kernel supports it as a +kernel variable, it will be set to the specific path that matches the +executable at run time. If the kernel does not support kernel variables +it will have the same value as B<@{attach_path}>. =head3 Notes on variable expansion and the / character diff --git a/parser/parser.h b/parser/parser.h index 005bbe580..3e851205f 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -294,9 +294,10 @@ do { \ version; \ }) -/* The parser fills this variable in automatically */ +/* The parser fills these variable in automatically */ #define PROFILE_NAME_VARIABLE "profile_name" - +#define PROFILE_ATTACH_VAR "attach_path" +#define PROFILE_EXEC_VAR "exec_path" /* from parser_common.c */ extern uint32_t policy_version; @@ -395,6 +396,7 @@ extern const char *basedir; #define glob_default 0 #define glob_null 1 +const char *local_name(const char *name); extern pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob, std::string& pcre, int *first_re_pos); extern bool build_list_val_expr(std::string& buffer, struct value_list *list); @@ -462,12 +464,27 @@ struct set_value { char *val; struct set_value *next; }; +enum var_type { + sd_boolean, + sd_set, +}; + +struct symtab { + char *var_name; + enum var_type type; + int boolean; + struct set_value *values; + struct set_value *expanded; +}; + extern int add_boolean_var(const char *var, int boolean); extern int get_boolean_var(const char *var); extern int new_set_var(const char *var, const char *value); extern int add_set_value(const char *var, const char *value); extern struct set_value *get_set_var(const char *var); extern char *get_next_set_value(struct set_value **context); +extern int insert_set_var(struct symtab *var); +extern struct symtab *remove_set_var(const char *var_name); extern int delete_set_var(const char *var_name); extern void dump_symtab(void); extern void dump_expanded_symtab(void); diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c index 89ae432e9..8f744f913 100644 --- a/parser/parser_symtab.c +++ b/parser/parser_symtab.c @@ -28,18 +28,6 @@ typedef int (*comparison_fn_t)(const void *, const void *); typedef void (*__free_fn_t)(void *); -enum var_type { - sd_boolean, - sd_set, -}; - -struct symtab { - char *var_name; - enum var_type type; - int boolean; - struct set_value *values; - struct set_value *expanded; -}; static void *my_symtab = NULL; @@ -209,12 +197,32 @@ out: return rc; } + +int insert_set_var(struct symtab *var) +{ + struct symtab **result; + + result = (struct symtab **) tsearch(var, &my_symtab, (comparison_fn_t) &compare_symtabs); + if (!result) { + PERROR("Failed to allocate memory: %s\n", strerror(errno)); + return errno; + } + + if (*result != var) { + /* already existing variable */ + PERROR("'%s' is already defined\n", var->var_name); + return 1; + } + + return 0; +} + /* new_set_var * creates copies of arguments, so caller can free them after use */ int new_set_var(const char *var, const char *value) { - struct symtab *n, **result; + struct symtab *n; int rc = 0; n = new_symtab_entry(var); @@ -226,21 +234,9 @@ int new_set_var(const char *var, const char *value) n->type = sd_set; add_to_set(&(n->values), value); - result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs); - if (!result) { - PERROR("Failed to allocate memory: %s\n", strerror(errno)); - rc = errno; - goto err; - } - - if (*result != n) { - /* already existing variable */ - PERROR("'%s' is already defined\n", var); - rc = 1; - goto err; - } - - return 0; + rc = insert_set_var(n); + if (! rc) + return 0; err: free_symtab(n); @@ -331,25 +327,21 @@ char *get_next_set_value(struct set_value **list) return ret; } -/* delete_symbol - * removes an individual variable from the symbol table. We don't - * support this in the language, but for special variables that change - * between profiles, we need this. - */ -int delete_set_var(const char *var_name) + +struct symtab *remove_set_var(const char *var_name) { - int rc = 0; - struct symtab **result, *n, *var; + struct symtab **result, *n, *var = NULL; n = new_symtab_entry(var_name); if (!n) { - rc = ENOMEM; + //rc = ENOMEM; goto out; } result = (struct symtab **) tfind(n, &my_symtab, (comparison_fn_t) &compare_symtabs); if (!result) { /* XXX Warning? */ + //rc = ENOENT; goto out; } @@ -368,11 +360,27 @@ int delete_set_var(const char *var_name) exit(1); } - free_symtab(var); - out: free_symtab(n); - return rc; + + return var; +} + +/* delete_symbol + * removes an individual variable from the symbol table. We don't + * support this in the language, but for special variables that change + * between profiles, we need this. + */ +int delete_set_var(const char *var_name) +{ + struct symtab *var; + + var = remove_set_var(var_name); + if (var) { + free_symtab(var); + return 0; + } + return ENOENT; } static void *seenlist = NULL; diff --git a/parser/parser_variable.c b/parser/parser_variable.c index c04e2a11a..4e42690eb 100644 --- a/parser/parser_variable.c +++ b/parser/parser_variable.c @@ -295,8 +295,22 @@ static int process_variables_in_name(Profile &prof) * setup */ int error = expand_entry_variables(&prof.name); - if (!error && prof.attachment) - error = expand_entry_variables(&prof.attachment); + if (!error) { + if (prof.attachment) + error = expand_entry_variables(&prof.attachment); + else if (prof.name[0] == '/') { + /* had to wait to do this until after processing the + * variables in the profile name + */ + prof.attachment = strdup(local_name(prof.name)); + if (!prof.attachment) { + errno = ENOMEM; + return -1; + } + filter_slashes(prof.attachment); + } + } + if (!error && prof.flags.disconnected_path) error = process_variable_in_attach_disconnected(&prof.flags.disconnected_path); if (!error && prof.flags.disconnected_ipc) @@ -325,29 +339,73 @@ static std::string escape_re(std::string str) int process_profile_variables(Profile *prof) { int error = 0, rc; + struct symtab *saved_exec_path = NULL; + struct symtab *saved_attach_path = NULL; /* needs to be before PROFILE_NAME_VARIABLE so that variable will * have the correct name */ error = process_variables_in_name(*prof); - if (!error) { - /* escape profile name elements that could be interpreted - * as regular expressions. + if (error) + goto out; + + /* escape profile name elements that could be interpreted as + * regular expressions. + */ + error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str()); + if (error) + goto out; + + if (prof->attachment) { + /* IF we didn't want a path based profile name to generate + * an attachment. The code could be moved here. Add the + * output fed into the vars directly instead of setting + * the attachment. */ - error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str()); + /* need to take into account alias, but not yet */ + saved_attach_path = remove_set_var(PROFILE_ATTACH_VAR); + error = new_set_var(PROFILE_ATTACH_VAR, prof->attachment); + if (error) + goto cleanup_name; + /* update to use kernel vars if available */ + saved_exec_path = remove_set_var(PROFILE_EXEC_VAR); + error = new_set_var(PROFILE_EXEC_VAR, prof->attachment); + if (error) + goto cleanup_attach; } - if (!error) - error = process_variables_in_entries(prof->entries); - - if (!error) - error = process_variables_in_rules(*prof); + error = process_variables_in_entries(prof->entries); + if (error) + goto cleanup; + error = process_variables_in_rules(*prof); +cleanup: + /* ideally these variables would be local scoped and we would not + * have to clean them up here, but unfortunately variables + * don't support that yet. + */ + if (prof->attachment) { + rc = delete_set_var(PROFILE_EXEC_VAR); + if (!error) + error = rc; + if (saved_exec_path) + insert_set_var(saved_exec_path); + } +cleanup_attach: + if (prof->attachment) { + rc = delete_set_var(PROFILE_ATTACH_VAR); + if (!error) + error = rc; + if (saved_attach_path) + insert_set_var(saved_attach_path); + } +cleanup_name: rc = delete_set_var(PROFILE_NAME_VARIABLE); if (!error) error = rc; +out: return error; } diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh index f0b90379b..333284f1d 100755 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -971,6 +971,144 @@ verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \ #### end of wrapper fn } +test_parser_variables() +{ + ######## @{profile_name} ####### + verify_binary_equality "@{profile_name} expands correctly" \ + "/t { @{profile_name} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{profile_name} expands correcly - filter /" \ + "/t { /r/@{profile_name} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{profile_name} expands correcly - add globbing" \ + "/t { @{profile_name}/** r, }" \ + "/t { /t/** r, }" + + #re expression are escaped in profile names so /t/* becomes /t/\* + verify_binary_inequality "@{profile_name} w/pat expands correctly" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{profile_name} w/pat expands correctly" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/\* r, }" + + verify_binary_inequality "@{profile_name} w/pat expands correcly - filter /" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{profile_name} w/pat expands correcly - filter /" \ + "/t/* { @{profile_name}/a r, }" \ + "/t/* { /t/\*/a r, }" + + verify_binary_inequality "@{profile_name} w/pat expands correcly - add globbing" \ + "/t/* { @{profile_name}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{profile_name} w/pat expands correcly - add globbing" \ + "/t/** { @{profile_name}/** r, }" \ + "/t/** { /t/\*\*/** r, }" + + ######## @{attach_path} ####### + verify_binary_equality "@{attach_path} expands correctly" \ + "/t { @{attach_path} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{attach_path} expands correcly - filter /" \ + "/t { /r/@{attach_path} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{attach_path} expands correcly - add globbing" \ + "/t { @{attach_path}/** r, }" \ + "/t { /t/** r, }" + + verify_binary_equality "@{attach_path} w/pat expands correctly" \ + "/t/* { @{attach_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/pat expands correcly - filter /" \ + "/t/* { @{attach_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/pat expands correcly - add globbing" \ + "/t/* { @{attach_path}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correctly" \ + "profile a /t { @{attach_path} r, }" \ + "profile a /t { /t r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correcly - filter /" \ + "profile a /t { /r/@{attach_path} r, }" \ + "profile a /t { /r/t r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correcly - add globbing" \ + "profile a /t { @{attach_path}/** r, }" \ + "profile a /t { /t/** r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correctly" \ + "profile a /t/* { @{attach_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - filter /" \ + "profile a /t/* { @{attach_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - add globbing" \ + "profile a /t/* { @{attach_path}/** r, }" \ + "profile a /t/* { /t/*/** r, }" + + ######## @{exec_path} ####### + verify_binary_equality "@{exec_path} expands correctly" \ + "/t { @{exec_path} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{exec_path} expands correcly - filter /" \ + "/t { /r/@{exec_path} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{exec_path} expands correcly - add globbing" \ + "/t { @{exec_path}/** r, }" \ + "/t { /t/** r, }" + + verify_binary_equality "@{exec_path} w/pat expands correctly" \ + "/t/* { @{exec_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/pat expands correcly - filter /" \ + "/t/* { @{exec_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/pat expands correcly - add globbing" \ + "/t/* { @{exec_path}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correctly" \ + "profile a /t { @{exec_path} r, }" \ + "profile a /t { /t r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correcly - filter /" \ + "profile a /t { /r/@{exec_path} r, }" \ + "profile a /t { /r/t r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correcly - add globbing" \ + "profile a /t { @{exec_path}/** r, }" \ + "profile a /t { /t/** r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correctly" \ + "profile a /t/* { @{exec_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - filter /" \ + "profile a /t/* { @{exec_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - add globbing" \ + "profile a /t/* { @{exec_path}/** r, }" \ + "profile a /t/* { /t/*/** r, }" +} run_tests() { @@ -1082,6 +1220,8 @@ run_tests() "@{BAR}=bin/ \#value /t { /@{BAR} r, }" + test_parser_variables + # verify combinations of different priority levels # for single rule comparisons, rules should keep same expected result # even when the priorities are different. diff --git a/parser/tst/minimize.sh b/parser/tst/minimize.sh index 8b3c4850c..82f6a2721 100755 --- a/parser/tst/minimize.sh +++ b/parser/tst/minimize.sh @@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}" # {a} (0x 40030/0/0/0) echo -n "Minimize profiles basic perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -93,7 +93,7 @@ echo "ok" # {9} (0x 12804a/0/2800a/0) # {c} (0x 40030/0/0/0) echo -n "Minimize profiles audit perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -112,7 +112,7 @@ echo "ok" # {c} (0x 40030/0/0/0) echo -n "Minimize profiles deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -130,7 +130,7 @@ echo "ok" # {c} (0x 40030/0/0/0) echo -n "Minimize profiles audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then echo "failed" exit 1; fi @@ -155,7 +155,7 @@ echo "ok" ## NOTE: change count from 6 to 7 when extend perms is not dependent on ## prompt rules being present echo -n "Minimize profiles extended no-filter audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then echo "failed" exit 1; fi @@ -173,7 +173,7 @@ echo "ok" # {2} (0x 4/0//0/0/0) <- from policydb still showing up bug echo -n "Minimize profiles extended filter audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -208,7 +208,7 @@ echo "ok" # echo -n "Minimize profiles xtrans " -if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then +if [ "$(echo "profile t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then echo "failed" exit 1; fi @@ -216,7 +216,7 @@ echo "ok" # same test as above + audit echo -n "Minimize profiles audit xtrans " -if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then +if [ "$(echo "profile t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then echo "failed" exit 1; fi @@ -229,7 +229,7 @@ echo "ok" # {3} (0x 0/fe17f85/0/14005) echo -n "Minimize profiles deny xtrans " -if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then +if [ "$(echo "profile t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then echo "failed" exit 1; fi @@ -241,7 +241,7 @@ echo "ok" # {3} (0x 0/fe17f85/0/0) echo -n "Minimize profiles audit deny xtrans " -if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then +if [ "$(echo "profile t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then echo "failed" exit 1; fi diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd new file mode 100644 index 000000000..0e248606c --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto attach_path variable in rules +#=EXRESULT PASS + +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd new file mode 100644 index 000000000..806e0bb2d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto atach_path variable in rules +#=EXRESULT PASS + +profile this_is_a_test /a/test/profile { + /a/test/profile rix, + + /run/@{attach_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd new file mode 100644 index 000000000..c05addc61 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto attach_path from profile +#=EXRESULT PASS + +/test/profile { + /test/profile rix, + + /run/@{attach_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd new file mode 100644 index 000000000..f925c9c3f --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile spork /a/*/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd new file mode 100644 index 000000000..309a7d45d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/b/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd new file mode 100644 index 000000000..77dc87f57 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/*/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd new file mode 100644 index 000000000..f1bac3b11 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd @@ -0,0 +1,20 @@ +#=DESCRIPTION ensure attach_path expansion after subprofiles works +#=EXRESULT PASS + +profile top_profile /test/profile { + + /first/path/@{attach_path}/tmp rwk, + + profile spork { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + hat spelunkk { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + # Does this expand properly? + /second/path/@{attach_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd new file mode 100644 index 000000000..41eee175c --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable overrides with user defined +#=EXRESULT PASS + +@{attach_path}=/path +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd new file mode 100644 index 000000000..d2baacb81 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION user @{attach_path} available after override +#=EXRESULT PASS + +@{attach_path}=/path +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} + +profile extra { + + @{attach_path} rw, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd new file mode 100644 index 000000000..e21d26c51 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION user @{attach_path} can set attachment and then auto var used +#=EXRESULT PASS + +@{attach_path}=/path +profile @{attach_path} { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd new file mode 100644 index 000000000..9e8f2e512 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto @{attach_path} variable in rules when not created +#=EXRESULT FAIL + +test/profile { + /a/test/profile rix, + + mr @{attach_path}, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd new file mode 100644 index 000000000..bbd9c7e12 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd @@ -0,0 +1,12 @@ +#=DESCRIPTION reference auto attach_path from profile +#=EXRESULT FAIL + +/test/profile { + /test/profile rix, + + # hat does not have an attachment and profile's attachment doesn't apply + ^spork { + owner /tmp/* r, + /spork/@{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd new file mode 100644 index 000000000..dbe64510d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION ensure attach_path expansion after subprofiles works +#=EXRESULT FAIL + +profile top_profile /test/profile { + + /first/path/@{attach_path}/tmp rwk, + + # subprofile doesn't have attach_pathes + hat spelunkk { + owner /tmp/* r, + /run/@{attach_path}/** rw, + } + + # Does this expand properly? + /second/path/@{attach_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd new file mode 100644 index 000000000..64faf18c9 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd @@ -0,0 +1,11 @@ +#=DESCRIPTION reference auto attach_path variable in rules w/hats +#=EXRESULT FAIL + +profile idf3s2A6GX8vrk /simple/profile { + /test/profile rix, + + ^test { + /run/@{attach_path}/tmp rwk, + } +} + diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd new file mode 100644 index 000000000..f20f78433 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path variable in rules +#=EXRESULT PASS + +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd new file mode 100644 index 000000000..5408e07bf --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path variable in rules +#=EXRESULT PASS + +profile this_is_a_test /a/test/profile { + /a/test/profile rix, + + /run/@{exec_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd new file mode 100644 index 000000000..0e0a7a365 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path from profile +#=EXRESULT PASS + +/test/profile { + /test/profile rix, + + /run/@{exec_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd new file mode 100644 index 000000000..69cc06b23 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile spork /a/*/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd new file mode 100644 index 000000000..d2c9f50a9 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/b/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd new file mode 100644 index 000000000..f3b8bcceb --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/*/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd new file mode 100644 index 000000000..cd9719b3d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd @@ -0,0 +1,20 @@ +#=DESCRIPTION ensure exec_path expansion after subprofiles works +#=EXRESULT PASS + +profile top_profile /test/profile { + + /first/path/@{exec_path}/tmp rwk, + + profile spork { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + hat spelunkk { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + # Does this expand properly? + /second/path/@{exec_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd new file mode 100644 index 000000000..2249b4965 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable overrides with user defined +#=EXRESULT PASS + +@{exec_path}=/path +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd new file mode 100644 index 000000000..8b32c03a1 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION user @{exec_path} available after override +#=EXRESULT PASS + +@{exec_path}=/path +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} + +profile extra { + + @{exec_path} rw, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd new file mode 100644 index 000000000..e8a7af8cb --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION user @{exec_path} can set attachment and then auto var used +#=EXRESULT PASS + +@{exec_path}=/path +profile @{exec_path} { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd new file mode 100644 index 000000000..418140701 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto @{exec_path} variable in rules when not created +#=EXRESULT FAIL + +test/profile { + /a/test/profile rix, + + mr @{exec_path}, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd new file mode 100644 index 000000000..311febd5c --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd @@ -0,0 +1,12 @@ +#=DESCRIPTION reference auto exec_path from profile +#=EXRESULT FAIL + +/test/profile { + /test/profile rix, + + # hat does not have an attachment and profile's attachment doesn't apply + ^spork { + owner /tmp/* r, + /spork/@{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd new file mode 100644 index 000000000..5b5778798 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION ensure exec_path expansion after subprofiles works +#=EXRESULT FAIL + +profile top_profile /test/profile { + + /first/path/@{exec_path}/tmp rwk, + + # subprofile doesn't have exec_pathes + hat spelunkk { + owner /tmp/* r, + /run/@{exec_path}/** rw, + } + + # Does this expand properly? + /second/path/@{exec_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd new file mode 100644 index 000000000..d5ea19841 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd @@ -0,0 +1,11 @@ +#=DESCRIPTION reference auto exec_path variable in rules w/hats +#=EXRESULT FAIL + +profile idf3s2A6GX8vrk /simple/profile { + /test/profile rix, + + ^test { + /run/@{exec_path}/tmp rwk, + } +} + diff --git a/profiles/apparmor.d/1password b/profiles/apparmor.d/1password index 2cd14489d..0835f4adb 100644 --- a/profiles/apparmor.d/1password +++ b/profiles/apparmor.d/1password @@ -6,6 +6,7 @@ include profile 1password /opt/1Password/1password flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/Discord b/profiles/apparmor.d/Discord index 4e96b8fe7..835757c41 100644 --- a/profiles/apparmor.d/Discord +++ b/profiles/apparmor.d/Discord @@ -6,6 +6,7 @@ include profile Discord /usr/share/discord/Discord flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/MongoDB_Compass b/profiles/apparmor.d/MongoDB_Compass index 6c796ca62..c137c254d 100644 --- a/profiles/apparmor.d/MongoDB_Compass +++ b/profiles/apparmor.d/MongoDB_Compass @@ -6,6 +6,7 @@ include profile "MongoDB Compass" "/usr/lib/mongodb-compass/MongoDB Compass" flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/QtWebEngineProcess b/profiles/apparmor.d/QtWebEngineProcess index 65dec4807..39cb07911 100644 --- a/profiles/apparmor.d/QtWebEngineProcess +++ b/profiles/apparmor.d/QtWebEngineProcess @@ -6,6 +6,7 @@ include profile QtWebEngineProcess /usr/lib/@{multiarch}/qt{5,6}/libexec/QtWebEngineProcess flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/Xorg b/profiles/apparmor.d/Xorg index 6fc1747ae..1230350f7 100644 --- a/profiles/apparmor.d/Xorg +++ b/profiles/apparmor.d/Xorg @@ -58,7 +58,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) { /{,usr/}bin/{bash,dash,sh} ix, /usr/bin/xkbcomp ix, - /usr/lib/xorg/Xorg mr, + @{exec_path} mr, @{PROC}/cmdline r, @{PROC}/@{pid}/cmdline r, diff --git a/profiles/apparmor.d/alsamixer b/profiles/apparmor.d/alsamixer index b3c872881..13354eaf4 100644 --- a/profiles/apparmor.d/alsamixer +++ b/profiles/apparmor.d/alsamixer @@ -10,7 +10,7 @@ profile alsamixer /{usr,}/bin/alsamixer { include - /{usr,}/bin/alsamixer mr, + @{exec_path} mr, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/profiles/apparmor.d/babeld b/profiles/apparmor.d/babeld index 503f3a8cc..a13123f68 100644 --- a/profiles/apparmor.d/babeld +++ b/profiles/apparmor.d/babeld @@ -17,7 +17,7 @@ profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) { include include - /usr/lib/frr/babeld mr, + @{exec_path} mr, @{run}/frr/babel-state w, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/balena-etcher b/profiles/apparmor.d/balena-etcher index 9a55bcd2f..e502c002d 100644 --- a/profiles/apparmor.d/balena-etcher +++ b/profiles/apparmor.d/balena-etcher @@ -6,6 +6,7 @@ include profile balena-etcher /usr/lib/balena-etcher/balena-etcher flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/bfdd b/profiles/apparmor.d/bfdd index 80d610e94..d6baff8b1 100644 --- a/profiles/apparmor.d/bfdd +++ b/profiles/apparmor.d/bfdd @@ -21,7 +21,7 @@ profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) { capability sys_admin, - /usr/lib/frr/bfdd mr, + @{exec_path} mr, @{run}/netns/* r, @{run}/frr/bfdd.sock w, diff --git a/profiles/apparmor.d/bgpd b/profiles/apparmor.d/bgpd index 11d37f9ab..a5e7b633b 100644 --- a/profiles/apparmor.d/bgpd +++ b/profiles/apparmor.d/bgpd @@ -21,7 +21,7 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /usr/lib/frr/bgpd mr, + @{exec_path} mr, @{run}/netns/* r, diff --git a/profiles/apparmor.d/bin.ping b/profiles/apparmor.d/bin.ping index c8d450ee6..1f18c17d1 100644 --- a/profiles/apparmor.d/bin.ping +++ b/profiles/apparmor.d/bin.ping @@ -22,7 +22,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { network inet raw, network inet6 raw, - /{usr/,}bin/{,iputils-}ping mixr, + @{exec_path} mixr, /etc/modules.conf r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/profiles/apparmor.d/brave b/profiles/apparmor.d/brave index 4aba1a312..8db3a94e7 100644 --- a/profiles/apparmor.d/brave +++ b/profiles/apparmor.d/brave @@ -6,6 +6,7 @@ include profile brave /opt/brave.com/brave/brave flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/buildah b/profiles/apparmor.d/buildah index 4281dc6c1..54f2fbeea 100644 --- a/profiles/apparmor.d/buildah +++ b/profiles/apparmor.d/buildah @@ -6,6 +6,7 @@ include profile buildah /usr/bin/buildah flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/busybox b/profiles/apparmor.d/busybox index d726ddf0a..bb40accd6 100644 --- a/profiles/apparmor.d/busybox +++ b/profiles/apparmor.d/busybox @@ -6,6 +6,7 @@ include profile busybox /usr/bin/busybox flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/cam b/profiles/apparmor.d/cam index d56c55a0c..b51d4efc5 100644 --- a/profiles/apparmor.d/cam +++ b/profiles/apparmor.d/cam @@ -6,6 +6,7 @@ include profile cam /usr/bin/cam flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ch-checkns b/profiles/apparmor.d/ch-checkns index eafb55686..d6bf5cfe1 100644 --- a/profiles/apparmor.d/ch-checkns +++ b/profiles/apparmor.d/ch-checkns @@ -6,6 +6,7 @@ include profile ch-checkns /usr/bin/ch-checkns flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ch-run b/profiles/apparmor.d/ch-run index 2d20b4391..b2afd9b1a 100644 --- a/profiles/apparmor.d/ch-run +++ b/profiles/apparmor.d/ch-run @@ -6,6 +6,7 @@ include profile ch-run /usr/bin/ch-run flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/chrome b/profiles/apparmor.d/chrome index 085c19897..09805a3f5 100644 --- a/profiles/apparmor.d/chrome +++ b/profiles/apparmor.d/chrome @@ -6,6 +6,7 @@ include profile chrome /opt/google/chrome/chrome flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/chromium b/profiles/apparmor.d/chromium index 61132bb81..e0f25b2b0 100644 --- a/profiles/apparmor.d/chromium +++ b/profiles/apparmor.d/chromium @@ -8,6 +8,7 @@ include profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/code b/profiles/apparmor.d/code index d99054451..55e08f4ab 100644 --- a/profiles/apparmor.d/code +++ b/profiles/apparmor.d/code @@ -6,6 +6,7 @@ include profile vscode /usr/share/code{/bin,}/code flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/crun b/profiles/apparmor.d/crun index 04c9f4fdc..f0240ee71 100644 --- a/profiles/apparmor.d/crun +++ b/profiles/apparmor.d/crun @@ -6,6 +6,7 @@ include profile crun /usr/bin/crun flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/devhelp b/profiles/apparmor.d/devhelp index ed7891a13..901820daf 100644 --- a/profiles/apparmor.d/devhelp +++ b/profiles/apparmor.d/devhelp @@ -6,6 +6,7 @@ include profile devhelp /usr/bin/devhelp flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/eigrpd b/profiles/apparmor.d/eigrpd index 62ee8c276..ee4a37588 100644 --- a/profiles/apparmor.d/eigrpd +++ b/profiles/apparmor.d/eigrpd @@ -19,7 +19,7 @@ profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) { capability net_raw, - /usr/lib/frr/eigrpd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/element-desktop b/profiles/apparmor.d/element-desktop index 937a5b007..9ac946cd1 100644 --- a/profiles/apparmor.d/element-desktop +++ b/profiles/apparmor.d/element-desktop @@ -6,6 +6,7 @@ include profile element-desktop /opt/Element/element-desktop flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/epiphany b/profiles/apparmor.d/epiphany index 7a412d20f..c52950038 100644 --- a/profiles/apparmor.d/epiphany +++ b/profiles/apparmor.d/epiphany @@ -6,6 +6,7 @@ include profile epiphany /usr/bin/epiphany{,-browser} flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/evolution b/profiles/apparmor.d/evolution index 48b842bfb..1b88d7d09 100644 --- a/profiles/apparmor.d/evolution +++ b/profiles/apparmor.d/evolution @@ -6,6 +6,7 @@ include profile evolution /usr/bin/evolution flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/fabricd b/profiles/apparmor.d/fabricd index 4770146b8..5a4a5624f 100644 --- a/profiles/apparmor.d/fabricd +++ b/profiles/apparmor.d/fabricd @@ -17,7 +17,7 @@ profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) { include include - /usr/lib/frr/fabricd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/firefox b/profiles/apparmor.d/firefox index 4071c3453..d32eaa4dc 100644 --- a/profiles/apparmor.d/firefox +++ b/profiles/apparmor.d/firefox @@ -7,6 +7,8 @@ include profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) { userns, + @{exec_path} mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/flatpak b/profiles/apparmor.d/flatpak index 846978470..1c439deda 100644 --- a/profiles/apparmor.d/flatpak +++ b/profiles/apparmor.d/flatpak @@ -6,6 +6,7 @@ include profile flatpak /usr/bin/flatpak flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/foliate b/profiles/apparmor.d/foliate index efc3af14f..5b769b2e7 100644 --- a/profiles/apparmor.d/foliate +++ b/profiles/apparmor.d/foliate @@ -6,6 +6,7 @@ include profile foliate /usr/bin/foliate flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3 index f159a1b31..39c99eced 100644 --- a/profiles/apparmor.d/fusermount3 +++ b/profiles/apparmor.d/fusermount3 @@ -36,7 +36,7 @@ profile fusermount3 /usr/bin/fusermount3 { @{etc_ro}/fuse.conf r, @{PROC}/@{pid}/mounts r, - /usr/bin/fusermount3 mr, + @{exec_path} mr, include if exists } diff --git a/profiles/apparmor.d/geary b/profiles/apparmor.d/geary index 6e65176ce..05cc1d314 100644 --- a/profiles/apparmor.d/geary +++ b/profiles/apparmor.d/geary @@ -6,6 +6,7 @@ include profile geary /usr/bin/geary flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/github-desktop b/profiles/apparmor.d/github-desktop index d2c090874..da86c2070 100644 --- a/profiles/apparmor.d/github-desktop +++ b/profiles/apparmor.d/github-desktop @@ -6,6 +6,7 @@ include profile github-desktop /usr/lib/github-desktop/github-desktop flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/goldendict b/profiles/apparmor.d/goldendict index bb81eb914..40fe352a6 100644 --- a/profiles/apparmor.d/goldendict +++ b/profiles/apparmor.d/goldendict @@ -6,6 +6,7 @@ include profile goldendict /usr/bin/goldendict flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/iotop-c b/profiles/apparmor.d/iotop-c index f02fbc7a6..343a29f27 100644 --- a/profiles/apparmor.d/iotop-c +++ b/profiles/apparmor.d/iotop-c @@ -15,7 +15,7 @@ profile iotop-c /usr/sbin/iotop-c { /proc/*/cmdline r, /proc/*/task/ r, - /usr/sbin/iotop-c mr, + @{exec_path} mr, /proc/ r, /proc/sys/kernel/task_delayacct rw, /proc/vmstat r, diff --git a/profiles/apparmor.d/ipa_verify b/profiles/apparmor.d/ipa_verify index f2a90bade..1f03793e5 100644 --- a/profiles/apparmor.d/ipa_verify +++ b/profiles/apparmor.d/ipa_verify @@ -3,13 +3,12 @@ abi , include @{arg1}=/**/*.so - profile ipa_verify /usr/bin/ipa_verify { include # Until we can replace arg1 above with real arg parsing include - /usr/bin/ipa_verify r, + @{exec_path} mr, # Probably enumerated by libcamera initialization but not needed for this tool's functionality deny /sys/devices/system/node/ r, diff --git a/profiles/apparmor.d/isisd b/profiles/apparmor.d/isisd index 1701c8310..2def6b1a2 100644 --- a/profiles/apparmor.d/isisd +++ b/profiles/apparmor.d/isisd @@ -20,7 +20,7 @@ profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) { capability net_raw, - /usr/lib/frr/isisd mr, + @{exec_path} mr, /var/lib/frr/ r, /var/lib/frr/isisd.json{,.sav} rw, diff --git a/profiles/apparmor.d/kchmviewer b/profiles/apparmor.d/kchmviewer index a604d90a8..978d6c616 100644 --- a/profiles/apparmor.d/kchmviewer +++ b/profiles/apparmor.d/kchmviewer @@ -6,6 +6,7 @@ include profile kchmviewer /usr/bin/kchmviewer flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/keybase b/profiles/apparmor.d/keybase index 1cd646d66..e84803909 100644 --- a/profiles/apparmor.d/keybase +++ b/profiles/apparmor.d/keybase @@ -6,6 +6,7 @@ include profile keybase /opt/keybase/Keybase flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lc-compliance b/profiles/apparmor.d/lc-compliance index e7eb13ae0..774b98924 100644 --- a/profiles/apparmor.d/lc-compliance +++ b/profiles/apparmor.d/lc-compliance @@ -6,6 +6,7 @@ include profile lc-compliance /usr/bin/lc-compliance flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ldpd b/profiles/apparmor.d/ldpd index 7e169322b..66229cbbd 100644 --- a/profiles/apparmor.d/ldpd +++ b/profiles/apparmor.d/ldpd @@ -18,7 +18,7 @@ profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) { include include - /usr/lib/frr/ldpd ix, + @{exec_path} mrix, @{run}/frr/ldpd.sock rw, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/libcamerify b/profiles/apparmor.d/libcamerify index 3751b941c..704d80756 100644 --- a/profiles/apparmor.d/libcamerify +++ b/profiles/apparmor.d/libcamerify @@ -6,6 +6,7 @@ include profile libcamerify /usr/bin/libcamerify flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/linux-sandbox b/profiles/apparmor.d/linux-sandbox index 94f365a00..e88937af1 100644 --- a/profiles/apparmor.d/linux-sandbox +++ b/profiles/apparmor.d/linux-sandbox @@ -6,6 +6,7 @@ include profile linux-sandbox /usr/libexec/@{multiarch}/bazel/linux-sandbox flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/loupe b/profiles/apparmor.d/loupe index f1beaac75..3f8266889 100644 --- a/profiles/apparmor.d/loupe +++ b/profiles/apparmor.d/loupe @@ -6,6 +6,7 @@ include profile loupe /usr/bin/loupe flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lsb_release b/profiles/apparmor.d/lsb_release index 3f4091804..6e515cd7d 100644 --- a/profiles/apparmor.d/lsb_release +++ b/profiles/apparmor.d/lsb_release @@ -18,7 +18,6 @@ profile lsb_release { /dev/tty rw, - /usr/bin/lsb_release r, /usr/bin/python3.{1,}[0-9] mr, /etc/debian_version r, diff --git a/profiles/apparmor.d/lsblk b/profiles/apparmor.d/lsblk index 1b3524474..9878ded48 100644 --- a/profiles/apparmor.d/lsblk +++ b/profiles/apparmor.d/lsblk @@ -17,7 +17,7 @@ profile lsblk /usr/bin/lsblk { include include - /usr/bin/lsblk mr, + @{exec_path} mr, @{sys}/block/ r, @{sys}/class/block/ r, diff --git a/profiles/apparmor.d/lxc-attach b/profiles/apparmor.d/lxc-attach index f3846106a..a0ad03453 100644 --- a/profiles/apparmor.d/lxc-attach +++ b/profiles/apparmor.d/lxc-attach @@ -6,6 +6,7 @@ include profile lxc-attach /usr/bin/lxc-attach flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-create b/profiles/apparmor.d/lxc-create index 44c5038a0..579826b7c 100644 --- a/profiles/apparmor.d/lxc-create +++ b/profiles/apparmor.d/lxc-create @@ -6,6 +6,7 @@ include profile lxc-create /usr/bin/lxc-create flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-destroy b/profiles/apparmor.d/lxc-destroy index 862b946fd..831fa9d2e 100644 --- a/profiles/apparmor.d/lxc-destroy +++ b/profiles/apparmor.d/lxc-destroy @@ -6,6 +6,7 @@ include profile lxc-destroy /usr/bin/lxc-destroy flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-execute b/profiles/apparmor.d/lxc-execute index 8629fa4da..9c8056ac7 100644 --- a/profiles/apparmor.d/lxc-execute +++ b/profiles/apparmor.d/lxc-execute @@ -6,6 +6,7 @@ include profile lxc-execute /usr/bin/lxc-execute flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-stop b/profiles/apparmor.d/lxc-stop index cb769df3e..65c762396 100644 --- a/profiles/apparmor.d/lxc-stop +++ b/profiles/apparmor.d/lxc-stop @@ -6,6 +6,7 @@ include profile lxc-stop /usr/bin/lxc-stop flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-unshare b/profiles/apparmor.d/lxc-unshare index 36ca0ea91..8d17ed842 100644 --- a/profiles/apparmor.d/lxc-unshare +++ b/profiles/apparmor.d/lxc-unshare @@ -6,6 +6,7 @@ include profile lxc-unshare /usr/bin/lxc-unshare flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-usernsexec b/profiles/apparmor.d/lxc-usernsexec index 4295abcc7..f826e0f07 100644 --- a/profiles/apparmor.d/lxc-usernsexec +++ b/profiles/apparmor.d/lxc-usernsexec @@ -6,6 +6,7 @@ include profile lxc-usernsexec /usr/bin/lxc-usernsexec flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/mmdebstrap b/profiles/apparmor.d/mmdebstrap index d7fea3c28..ddb97a317 100644 --- a/profiles/apparmor.d/mmdebstrap +++ b/profiles/apparmor.d/mmdebstrap @@ -6,6 +6,7 @@ include profile mmdebstrap /usr/bin/mmdebstrap flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/msedge b/profiles/apparmor.d/msedge index 0e3a1b336..a02b82599 100644 --- a/profiles/apparmor.d/msedge +++ b/profiles/apparmor.d/msedge @@ -6,6 +6,7 @@ include profile msedge /opt/microsoft/msedge/msedge flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/nautilus b/profiles/apparmor.d/nautilus index d4031a0ea..c488cd7fd 100644 --- a/profiles/apparmor.d/nautilus +++ b/profiles/apparmor.d/nautilus @@ -6,6 +6,7 @@ include profile nautilus /usr/bin/nautilus flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/nhrpd b/profiles/apparmor.d/nhrpd index 411e286a1..59eacb73e 100644 --- a/profiles/apparmor.d/nhrpd +++ b/profiles/apparmor.d/nhrpd @@ -20,7 +20,7 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) { capability net_raw, capability net_admin, - /usr/lib/frr/nhrpd mr, + @{exec_path} mr, /usr/bin/dash ix, @{PROC}/sys/net/ipv4/conf/*/send_redirects w, diff --git a/profiles/apparmor.d/notepadqq b/profiles/apparmor.d/notepadqq index e1d4160ed..0586aef2b 100644 --- a/profiles/apparmor.d/notepadqq +++ b/profiles/apparmor.d/notepadqq @@ -6,6 +6,7 @@ include profile notepadqq /{{usr/bin,etc/alternatives}/notepadqq,usr/lib/notepadqq/notepadqq.sh} flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/nvidia_modprobe b/profiles/apparmor.d/nvidia_modprobe index ccf5300d6..6ba5eb3fa 100644 --- a/profiles/apparmor.d/nvidia_modprobe +++ b/profiles/apparmor.d/nvidia_modprobe @@ -16,8 +16,6 @@ profile nvidia_modprobe { # Main executable - /usr/bin/nvidia-modprobe mr, - # Other executables /usr/bin/kmod Cx -> kmod, diff --git a/profiles/apparmor.d/obsidian b/profiles/apparmor.d/obsidian index 3d6ef7f44..9d9e5a520 100644 --- a/profiles/apparmor.d/obsidian +++ b/profiles/apparmor.d/obsidian @@ -6,6 +6,7 @@ include profile obsidian /opt/Obsidian/obsidian flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/opam b/profiles/apparmor.d/opam index b0cd7a661..ebe6b4a08 100644 --- a/profiles/apparmor.d/opam +++ b/profiles/apparmor.d/opam @@ -6,6 +6,7 @@ include profile opam /usr/bin/opam flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/opera b/profiles/apparmor.d/opera index cbf88c661..ee179af8c 100644 --- a/profiles/apparmor.d/opera +++ b/profiles/apparmor.d/opera @@ -6,6 +6,7 @@ include profile opera /usr/lib/@{multiarch}/opera/opera flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ospf6d b/profiles/apparmor.d/ospf6d index 9cf3efdf8..3a78e04f0 100644 --- a/profiles/apparmor.d/ospf6d +++ b/profiles/apparmor.d/ospf6d @@ -21,7 +21,7 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /usr/lib/frr/ospf6d mr, + @{exec_path} mr, @{run}/netns/* r, diff --git a/profiles/apparmor.d/ospfd b/profiles/apparmor.d/ospfd index 4b4202185..e1337a222 100644 --- a/profiles/apparmor.d/ospfd +++ b/profiles/apparmor.d/ospfd @@ -21,7 +21,7 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /usr/lib/frr/ospfd mr, + @{exec_path} mr, @{run}/netns/* r, diff --git a/profiles/apparmor.d/pageedit b/profiles/apparmor.d/pageedit index baa0da7b4..b52eea705 100644 --- a/profiles/apparmor.d/pageedit +++ b/profiles/apparmor.d/pageedit @@ -6,6 +6,7 @@ include profile pageedit /usr/bin/pageedit flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/pathd b/profiles/apparmor.d/pathd index 30b03b654..02dce4199 100644 --- a/profiles/apparmor.d/pathd +++ b/profiles/apparmor.d/pathd @@ -17,7 +17,7 @@ profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) { include include - /usr/lib/frr/pathd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/pbrd b/profiles/apparmor.d/pbrd index 0a58ffbb8..f2e5855ea 100644 --- a/profiles/apparmor.d/pbrd +++ b/profiles/apparmor.d/pbrd @@ -17,7 +17,7 @@ profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) { include include - /usr/lib/frr/pbrd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm index 29dd205d7..f100e1e38 100644 --- a/profiles/apparmor.d/php-fpm +++ b/profiles/apparmor.d/php-fpm @@ -40,7 +40,7 @@ profile php-fpm /usr/{bin,sbin}/php-fpm* flags=(attach_disconnected) { owner @{run}/systemd/notify w, # to reload - /usr/{bin,sbin}/php-fpm* rix, + @{exec_path} rix, # no idea why php tries to open / read/write deny / rw, diff --git a/profiles/apparmor.d/pim6d b/profiles/apparmor.d/pim6d index b5545bcb0..3f1ebeee5 100644 --- a/profiles/apparmor.d/pim6d +++ b/profiles/apparmor.d/pim6d @@ -20,7 +20,7 @@ profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) { capability net_raw, capability net_admin, - /usr/lib/frr/pim6d mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/pimd b/profiles/apparmor.d/pimd index d3502d63e..b49ed78bb 100644 --- a/profiles/apparmor.d/pimd +++ b/profiles/apparmor.d/pimd @@ -20,7 +20,7 @@ profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) { capability net_raw, capability net_admin, - /usr/lib/frr/pimd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell index 6b1616d97..ea663d67e 100644 --- a/profiles/apparmor.d/plasmashell +++ b/profiles/apparmor.d/plasmashell @@ -26,6 +26,7 @@ profile plasmashell /usr/bin/plasmashell { /** pux, /{,**} mrwlk, + @{exec_path} mr, profile QtWebEngineProcess { capability, diff --git a/profiles/apparmor.d/podman b/profiles/apparmor.d/podman index 54e29e220..a12d1d383 100644 --- a/profiles/apparmor.d/podman +++ b/profiles/apparmor.d/podman @@ -6,6 +6,7 @@ include profile podman /usr/bin/podman flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/polypane b/profiles/apparmor.d/polypane index ebe60e04d..f985214ad 100644 --- a/profiles/apparmor.d/polypane +++ b/profiles/apparmor.d/polypane @@ -6,6 +6,7 @@ include profile polypane /opt/Polypane/polypane flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/privacybrowser b/profiles/apparmor.d/privacybrowser index ee010b7a2..726e7e632 100644 --- a/profiles/apparmor.d/privacybrowser +++ b/profiles/apparmor.d/privacybrowser @@ -6,6 +6,7 @@ include profile privacybrowser /usr/bin/privacybrowser flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/qcam b/profiles/apparmor.d/qcam index 5da2f7bdd..c9f818265 100644 --- a/profiles/apparmor.d/qcam +++ b/profiles/apparmor.d/qcam @@ -6,6 +6,7 @@ include profile qcam /usr/bin/qcam flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/qmapshack b/profiles/apparmor.d/qmapshack index 20ffad169..71838ba58 100644 --- a/profiles/apparmor.d/qmapshack +++ b/profiles/apparmor.d/qmapshack @@ -6,6 +6,7 @@ include profile qmapshack /usr/bin/qmapshack flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/qutebrowser b/profiles/apparmor.d/qutebrowser index bc92a9910..43f4d7de9 100644 --- a/profiles/apparmor.d/qutebrowser +++ b/profiles/apparmor.d/qutebrowser @@ -6,6 +6,7 @@ include profile qutebrowser /usr/bin/qutebrowser flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/remmina b/profiles/apparmor.d/remmina index 621620268..f070d7f38 100644 --- a/profiles/apparmor.d/remmina +++ b/profiles/apparmor.d/remmina @@ -49,7 +49,7 @@ profile remmina /usr/bin/remmina { dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member=RegisterStatusNotifierItem peer=(label=@{StatusNotifierWatcher}), @{etc_ro}/fstab r, - /usr/bin/remmina mr, + @{exec_path} mr, /usr/share/remmina/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, /etc/debian_version r, diff --git a/profiles/apparmor.d/ripd b/profiles/apparmor.d/ripd index 9ce13e2cc..845f0fb9c 100644 --- a/profiles/apparmor.d/ripd +++ b/profiles/apparmor.d/ripd @@ -18,7 +18,7 @@ profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) { include include - /usr/lib/frr/ripd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ripngd b/profiles/apparmor.d/ripngd index 7573c2a21..a0b6e79b3 100644 --- a/profiles/apparmor.d/ripngd +++ b/profiles/apparmor.d/ripngd @@ -17,7 +17,7 @@ profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) { include include - /usr/lib/frr/ripngd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/rootlesskit b/profiles/apparmor.d/rootlesskit index d5f4ac963..5aa9e6e52 100644 --- a/profiles/apparmor.d/rootlesskit +++ b/profiles/apparmor.d/rootlesskit @@ -6,6 +6,7 @@ include profile rootlesskit /usr/bin/rootlesskit flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/rpm b/profiles/apparmor.d/rpm index 04c95a629..6cef21c07 100644 --- a/profiles/apparmor.d/rpm +++ b/profiles/apparmor.d/rpm @@ -6,6 +6,7 @@ include profile rpm /usr/bin/rpm flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/rssguard b/profiles/apparmor.d/rssguard index 33b7d338e..b84604fa8 100644 --- a/profiles/apparmor.d/rssguard +++ b/profiles/apparmor.d/rssguard @@ -6,6 +6,7 @@ include profile rssguard /usr/bin/rssguard flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/runc b/profiles/apparmor.d/runc index d42549503..cb009d4ae 100644 --- a/profiles/apparmor.d/runc +++ b/profiles/apparmor.d/runc @@ -6,6 +6,7 @@ include profile runc /usr/{bin,sbin}/runc flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/rygel b/profiles/apparmor.d/rygel index c19dc33ef..fed258c98 100644 --- a/profiles/apparmor.d/rygel +++ b/profiles/apparmor.d/rygel @@ -32,7 +32,7 @@ profile rygel /usr/bin/rygel { file r @{etc_ro}/rygel.conf, - file mr /usr/bin/rygel, + file mr @{exec_path}, file Cx /usr/libexec/rygel/mx-extract -> mx-extract, diff --git a/profiles/apparmor.d/samba-bgqd b/profiles/apparmor.d/samba-bgqd index 81d4953cd..cb77a7ca2 100644 --- a/profiles/apparmor.d/samba-bgqd +++ b/profiles/apparmor.d/samba-bgqd @@ -15,7 +15,7 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd { @{run}/{,samba/}samba-bgqd.pid rwk, - /usr/lib*/samba/{,samba/}samba-bgqd mr, + @{exec_path} mr, /var/cache/samba/printing/*.tdb rwk, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/samba-dcerpcd b/profiles/apparmor.d/samba-dcerpcd index d16827666..02bc06a8a 100644 --- a/profiles/apparmor.d/samba-dcerpcd +++ b/profiles/apparmor.d/samba-dcerpcd @@ -20,7 +20,7 @@ profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd { @{run}/{,samba/}samba-dcerpcd.pid rwk, - /usr/lib*/samba/{,samba/}samba-dcerpcd mr, + @{exec_path} mr, /usr/lib*/samba/ r, /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd, diff --git a/profiles/apparmor.d/samba-rpcd b/profiles/apparmor.d/samba-rpcd index 22d79129e..f1864f4c0 100644 --- a/profiles/apparmor.d/samba-rpcd +++ b/profiles/apparmor.d/samba-rpcd @@ -18,7 +18,7 @@ profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp, capability sys_resource, - /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr, + @{exec_path} mr, @{run}/samba/ncalrpc/np/lsarpc wr, @{run}/samba/ncalrpc/np/mdssvc wr, diff --git a/profiles/apparmor.d/samba-rpcd-classic b/profiles/apparmor.d/samba-rpcd-classic index 3943aa98b..c7beb2f90 100644 --- a/profiles/apparmor.d/samba-rpcd-classic +++ b/profiles/apparmor.d/samba-rpcd-classic @@ -19,7 +19,7 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic { capability sys_resource, - /usr/lib*/samba/{,samba/}rpcd_classic mr, + @{exec_path} mr, @{run}/samba/ncalrpc/np/srvsvc wr, @{run}/samba/ncalrpc/np/winreg wr, diff --git a/profiles/apparmor.d/samba-rpcd-spoolss b/profiles/apparmor.d/samba-rpcd-spoolss index 215e85abd..760975866 100644 --- a/profiles/apparmor.d/samba-rpcd-spoolss +++ b/profiles/apparmor.d/samba-rpcd-spoolss @@ -16,7 +16,7 @@ include profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss { include - /usr/lib*/samba/{,samba/}rpcd_spoolss mr, + @{exec_path} mr, /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd, /var/cache/samba/printing/ w, /var/cache/samba/printing/*.tdb rwk, diff --git a/profiles/apparmor.d/sbin.klogd b/profiles/apparmor.d/sbin.klogd index 918a38e52..38bf69334 100644 --- a/profiles/apparmor.d/sbin.klogd +++ b/profiles/apparmor.d/sbin.klogd @@ -26,7 +26,7 @@ profile klogd /{usr/,}{bin,sbin}/klogd { @{PROC}/kallsyms r, /dev/tty rw, - /{usr/,}{bin,sbin}/klogd rmix, + @{exec_path} mrix, /var/log/boot.msg rwl, @{run}/klogd.pid krwl, @{run}/klogd/klogd.pid krwl, diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng index 4936fadd1..bfe0dbe59 100644 --- a/profiles/apparmor.d/sbin.syslog-ng +++ b/profiles/apparmor.d/sbin.syslog-ng @@ -47,7 +47,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { /etc/syslog-ng/conf.d/ r, /etc/syslog-ng/conf.d/* r, @{PROC}/kmsg r, - /{usr/,}{bin,sbin}/syslog-ng mr, + @{exec_path} mr, @{sys}/devices/system/cpu/online r, /usr/share/syslog-ng/** r, /var/lib/syslog-ng/syslog-ng-?????.qf rw, diff --git a/profiles/apparmor.d/sbin.syslogd b/profiles/apparmor.d/sbin.syslogd index 847c0c1a6..e1de1af29 100644 --- a/profiles/apparmor.d/sbin.syslogd +++ b/profiles/apparmor.d/sbin.syslogd @@ -38,7 +38,7 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd { /etc/syslog.conf r, /etc/syslog.d/ r, /etc/syslog.d/* r, - /{usr/,}{bin,sbin}/syslogd rmix, + @{exec_path} mrix, /var/log/** rw, @{run}/syslog.pid krwl, @{run}/syslogd.pid krwl, diff --git a/profiles/apparmor.d/sbuild b/profiles/apparmor.d/sbuild index 28f3e41d7..adbab704f 100644 --- a/profiles/apparmor.d/sbuild +++ b/profiles/apparmor.d/sbuild @@ -8,8 +8,9 @@ profile sbuild /usr/bin/sbuild flags=(attach_disconnected mediate_deleted) { allow all, userns, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at lower priority /usr/bin/unshare ix, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-abort b/profiles/apparmor.d/sbuild-abort index 77b60db3f..21a6f54db 100644 --- a/profiles/apparmor.d/sbuild-abort +++ b/profiles/apparmor.d/sbuild-abort @@ -6,8 +6,9 @@ include profile sbuild-abort /usr/bin/sbuild-abort flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all is at lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-adduser b/profiles/apparmor.d/sbuild-adduser index bb67c50e7..ada1cd389 100644 --- a/profiles/apparmor.d/sbuild-adduser +++ b/profiles/apparmor.d/sbuild-adduser @@ -6,8 +6,9 @@ include profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-apt b/profiles/apparmor.d/sbuild-apt index f50fc4f3b..3d3a1e18f 100644 --- a/profiles/apparmor.d/sbuild-apt +++ b/profiles/apparmor.d/sbuild-apt @@ -6,8 +6,9 @@ include profile sbuild-apt /usr/bin/sbuild-apt flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-checkpackages b/profiles/apparmor.d/sbuild-checkpackages index c4f8812d1..f4ebb2b8e 100644 --- a/profiles/apparmor.d/sbuild-checkpackages +++ b/profiles/apparmor.d/sbuild-checkpackages @@ -6,8 +6,9 @@ include profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow ix is at lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-clean b/profiles/apparmor.d/sbuild-clean index eca646a51..40a9923db 100644 --- a/profiles/apparmor.d/sbuild-clean +++ b/profiles/apparmor.d/sbuild-clean @@ -6,8 +6,9 @@ include profile sbuild-clean /usr/bin/sbuild-clean flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-createchroot b/profiles/apparmor.d/sbuild-createchroot index 85ffa3ed6..860b933a7 100644 --- a/profiles/apparmor.d/sbuild-createchroot +++ b/profiles/apparmor.d/sbuild-createchroot @@ -6,8 +6,9 @@ include profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-destroychroot b/profiles/apparmor.d/sbuild-destroychroot index 7232c2ce6..b70624b51 100644 --- a/profiles/apparmor.d/sbuild-destroychroot +++ b/profiles/apparmor.d/sbuild-destroychroot @@ -6,8 +6,9 @@ include profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-distupgrade b/profiles/apparmor.d/sbuild-distupgrade index 8df44146f..ead850645 100644 --- a/profiles/apparmor.d/sbuild-distupgrade +++ b/profiles/apparmor.d/sbuild-distupgrade @@ -6,8 +6,9 @@ include profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-hold b/profiles/apparmor.d/sbuild-hold index 0a07994ec..70b611907 100644 --- a/profiles/apparmor.d/sbuild-hold +++ b/profiles/apparmor.d/sbuild-hold @@ -6,8 +6,9 @@ include profile sbuild-hold /usr/bin/sbuild-hold flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-shell b/profiles/apparmor.d/sbuild-shell index d93b70e6d..72901516e 100644 --- a/profiles/apparmor.d/sbuild-shell +++ b/profiles/apparmor.d/sbuild-shell @@ -6,8 +6,9 @@ include profile sbuild-shell /usr/bin/sbuild-shell flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-unhold b/profiles/apparmor.d/sbuild-unhold index 13c009633..53f06f4c0 100644 --- a/profiles/apparmor.d/sbuild-unhold +++ b/profiles/apparmor.d/sbuild-unhold @@ -6,8 +6,9 @@ include profile sbuild-unhold /usr/bin/sbuild-unhold flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-update b/profiles/apparmor.d/sbuild-update index 764c11e26..eadb87fb3 100644 --- a/profiles/apparmor.d/sbuild-update +++ b/profiles/apparmor.d/sbuild-update @@ -6,8 +6,9 @@ include profile sbuild-update /usr/bin/sbuild-update flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-upgrade b/profiles/apparmor.d/sbuild-upgrade index 3ee9d328a..34a01e12c 100644 --- a/profiles/apparmor.d/sbuild-upgrade +++ b/profiles/apparmor.d/sbuild-upgrade @@ -6,8 +6,9 @@ include profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/scide b/profiles/apparmor.d/scide index 4cbde8bfb..7e65d5f8e 100644 --- a/profiles/apparmor.d/scide +++ b/profiles/apparmor.d/scide @@ -7,6 +7,7 @@ include #supercollider-ide profile scide /usr/bin/scide flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/signal-desktop b/profiles/apparmor.d/signal-desktop index 05738b995..d3e284c71 100644 --- a/profiles/apparmor.d/signal-desktop +++ b/profiles/apparmor.d/signal-desktop @@ -6,6 +6,7 @@ include profile signal-desktop /opt/Signal/signal-desktop flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/slack b/profiles/apparmor.d/slack index 158b3d3c7..bacb1abbd 100644 --- a/profiles/apparmor.d/slack +++ b/profiles/apparmor.d/slack @@ -6,6 +6,7 @@ include profile slack /usr/lib/slack/slack flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/slirp4netns b/profiles/apparmor.d/slirp4netns index 014819edc..bc975785a 100644 --- a/profiles/apparmor.d/slirp4netns +++ b/profiles/apparmor.d/slirp4netns @@ -6,6 +6,7 @@ include profile slirp4netns /usr/bin/slirp4netns flags=(unconfined) { userns, + @{exec_path} mrix, # pivot_root is required for running `slirp4netns --enable-sandbox` inside LXD. # https://github.com/rootless-containers/slirp4netns/issues/348 diff --git a/profiles/apparmor.d/staticd b/profiles/apparmor.d/staticd index 4825bd505..f4a92b4d8 100644 --- a/profiles/apparmor.d/staticd +++ b/profiles/apparmor.d/staticd @@ -17,7 +17,7 @@ profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) { include include - /usr/lib/frr/staticd mr, + @{exec_path} mr, /etc/frr/zebra.conf r, diff --git a/profiles/apparmor.d/steam b/profiles/apparmor.d/steam index ebd06f71d..12360b9b6 100644 --- a/profiles/apparmor.d/steam +++ b/profiles/apparmor.d/steam @@ -6,6 +6,7 @@ include profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/stress-ng b/profiles/apparmor.d/stress-ng index 314b81563..653a98550 100644 --- a/profiles/apparmor.d/stress-ng +++ b/profiles/apparmor.d/stress-ng @@ -6,6 +6,7 @@ include profile stress-ng /usr/bin/stress-ng flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/surfshark b/profiles/apparmor.d/surfshark index adbd896d5..02717a1dd 100644 --- a/profiles/apparmor.d/surfshark +++ b/profiles/apparmor.d/surfshark @@ -6,6 +6,7 @@ include profile surfshark /opt/Surfshark/surfshark flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/systemd-coredump b/profiles/apparmor.d/systemd-coredump index 5b89dcd08..2f7e366dd 100644 --- a/profiles/apparmor.d/systemd-coredump +++ b/profiles/apparmor.d/systemd-coredump @@ -6,6 +6,7 @@ include profile systemd-coredump /usr/lib/systemd/systemd-coredump flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/tar b/profiles/apparmor.d/tar index 91b31237d..5ea57a4ca 100644 --- a/profiles/apparmor.d/tar +++ b/profiles/apparmor.d/tar @@ -25,6 +25,7 @@ profile tar /usr/bin/tar { file rwl /**, # tar can be made to filter archives through an arbitrary program + @{exec_path} mr, /{usr{/local,},}/{bin,sbin}/* ix, /opt/** ix, diff --git a/profiles/apparmor.d/thunderbird b/profiles/apparmor.d/thunderbird index 060eb24da..de985e08e 100644 --- a/profiles/apparmor.d/thunderbird +++ b/profiles/apparmor.d/thunderbird @@ -6,6 +6,7 @@ include profile thunderbird /usr/bin/thunderbird flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index 4a615779b..3a62e3b16 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -30,7 +30,7 @@ profile tinyproxy /usr/bin/tinyproxy { # allow this as well capability net_bind_service, - file mr /usr/bin/tinyproxy, + mr @{exec_path}, file r @{etc_ro}/tinyproxy/tinyproxy.conf, # tinyproxy.conf allows to configure the locations of various files that will diff --git a/profiles/apparmor.d/tnftp b/profiles/apparmor.d/tnftp index 7641bc869..c9ddd1a53 100644 --- a/profiles/apparmor.d/tnftp +++ b/profiles/apparmor.d/tnftp @@ -28,7 +28,7 @@ profile tnftp /usr/bin/tnftp { network inet stream, network inet6 stream, - /usr/bin/tnftp mr, + @{exec_path} mr, # required for the pager (less, more) to work file Cx /usr/bin/dash, diff --git a/profiles/apparmor.d/transmission b/profiles/apparmor.d/transmission index d76dd102f..33687c6dc 100644 --- a/profiles/apparmor.d/transmission +++ b/profiles/apparmor.d/transmission @@ -17,7 +17,7 @@ profile transmission-daemon /usr/bin/transmission-daemon flags=(complain,attach_ network inet stream, network inet6 stream, - /usr/bin/transmission-daemon mr, + @{exec_path} mr, owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/random/uuid r, @@ -44,7 +44,7 @@ profile transmission-cli /usr/bin/transmission-cli flags=(complain) { include include - /usr/bin/transmission-cli mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists @@ -57,7 +57,7 @@ profile transmission-gtk /usr/bin/transmission-gtk flags=(complain,attach_discon include include - /usr/bin/transmission-gtk mr, + @{exec_path} mr, owner @{run}/user/*/dconf/user w, @@ -76,7 +76,7 @@ profile transmission-qt /usr/bin/transmission-qt flags=(complain) { include include - /usr/bin/transmission-qt mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/trinity b/profiles/apparmor.d/trinity index 41e2346ad..0c1059dbd 100644 --- a/profiles/apparmor.d/trinity +++ b/profiles/apparmor.d/trinity @@ -6,6 +6,7 @@ include profile trinity /usr/bin/trinity flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/tshark b/profiles/apparmor.d/tshark index a249914d4..85f0cc693 100644 --- a/profiles/apparmor.d/tshark +++ b/profiles/apparmor.d/tshark @@ -23,7 +23,7 @@ profile tshark /usr/bin/tshark { signal send peer=tshark//dumpcap, file Cx /usr/bin/dumpcap -> dumpcap, - file mr /usr/bin/tshark, + mr @{exec_path}, file mrix /usr/lib/@{multiarch}/wireshark/extcap/{,*}, file r /usr/share/wireshark/{,**}, file r @{PROC}/@{pid}/fd/, diff --git a/profiles/apparmor.d/tup b/profiles/apparmor.d/tup index 482a0d326..7ec6899de 100644 --- a/profiles/apparmor.d/tup +++ b/profiles/apparmor.d/tup @@ -6,6 +6,7 @@ include profile tup /usr/bin/tup flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/tuxedo-control-center b/profiles/apparmor.d/tuxedo-control-center index d64c762af..0bd0f6216 100644 --- a/profiles/apparmor.d/tuxedo-control-center +++ b/profiles/apparmor.d/tuxedo-control-center @@ -6,6 +6,7 @@ include profile tuxedo-control-center /opt/tuxedo-control-center/tuxedo-control-center flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/unix-chkpwd b/profiles/apparmor.d/unix-chkpwd index a8ec8d43f..fc69f1df8 100644 --- a/profiles/apparmor.d/unix-chkpwd +++ b/profiles/apparmor.d/unix-chkpwd @@ -20,7 +20,7 @@ profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd { network netlink raw, - /{,usr/}{,s}bin/unix_chkpwd mr, + @{exec_path} mr, /etc/shadow r, diff --git a/profiles/apparmor.d/userbindmount b/profiles/apparmor.d/userbindmount index 406f494c7..004c2cea6 100644 --- a/profiles/apparmor.d/userbindmount +++ b/profiles/apparmor.d/userbindmount @@ -6,6 +6,7 @@ include profile userbindmount /usr/bin/userbindmount flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.bin.hwctl b/profiles/apparmor.d/usr.bin.hwctl index 8a7586954..6fae491bd 100644 --- a/profiles/apparmor.d/usr.bin.hwctl +++ b/profiles/apparmor.d/usr.bin.hwctl @@ -24,6 +24,8 @@ profile hwctl /usr/bin/hwctl { network inet6 stream, network netlink raw, + @{exec_path} mr, + /sys/firmware/dmi/tables/* r, # for collecting SMBIOS info /sys/devices/system/cpu/cpufreq/policy*/cpuinfo_max_freq r, /sys/fs/cgroup/**/cpu.max r, @@ -38,14 +40,14 @@ profile hwctl /usr/bin/hwctl { profile dpkg /usr/bin/dpkg { include - /usr/bin/dpkg r, + @{exec_path} r, /etc/dpkg/** r, } profile kmod /usr/bin/kmod { include - /usr/bin/kmod r, + @{exec_path} r, @{PROC}/{cmdline,modules} r, @{sys}/module/** r, # for fetching kernel modules } diff --git a/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 b/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 index fdc1f40e5..f96f79ca2 100644 --- a/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 +++ b/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 @@ -53,6 +53,7 @@ include / rw, /** mrwlkix, + @{exec_path} mr, ^DEFAULT_URI { diff --git a/profiles/apparmor.d/usr.lib.dovecot.anvil b/profiles/apparmor.d/usr.lib.dovecot.anvil index 852a647bf..6e867cf38 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.anvil +++ b/profiles/apparmor.d/usr.lib.dovecot.anvil @@ -24,7 +24,7 @@ profile dovecot-anvil /usr/lib*/dovecot/anvil { @{run}/dovecot/anvil rw, @{run}/dovecot/anvil-auth-penalty rw, - /usr/lib*/dovecot/anvil mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth index 06277c448..98534d154 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.auth +++ b/profiles/apparmor.d/usr.lib.dovecot.auth @@ -33,7 +33,7 @@ profile dovecot-auth /usr/lib*/dovecot/auth { /etc/my.cnf.d/*.cnf r, /etc/dovecot/* r, - /usr/lib*/dovecot/auth mr, + @{exec_path} mr, /var/lib/dovecot/auth-chroot/* r, # kerberos replay cache diff --git a/profiles/apparmor.d/usr.lib.dovecot.config b/profiles/apparmor.d/usr.lib.dovecot.config index e14a58fb8..c0ae6a58f 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.config +++ b/profiles/apparmor.d/usr.lib.dovecot.config @@ -24,7 +24,7 @@ profile dovecot-config /usr/lib*/dovecot/config { /etc/dovecot/** r, /usr/bin/doveconf rix, - /usr/lib*/dovecot/config mr, + @{exec_path} mr, /usr/lib*/dovecot/managesieve Px, /usr/share/dovecot/** r, /var/lib/dovecot/ssl-parameters.dat r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.deliver b/profiles/apparmor.d/usr.lib.dovecot.deliver index d458e0533..81dc0565c 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.deliver +++ b/profiles/apparmor.d/usr.lib.dovecot.deliver @@ -32,7 +32,7 @@ profile dovecot-deliver /usr/lib*/dovecot/deliver { /etc/dovecot/dovecot-postfix.conf r, # ??? @{HOME} r, # ??? - /usr/lib*/dovecot/deliver mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.dict b/profiles/apparmor.d/usr.lib.dovecot.dict index 735160b58..ba2722b07 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dict +++ b/profiles/apparmor.d/usr.lib.dovecot.dict @@ -26,7 +26,7 @@ profile dovecot-dict /usr/lib*/dovecot/dict { /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-dict-sql.conf.ext r, /etc/my.cnf r, - /usr/lib*/dovecot/dict mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.director b/profiles/apparmor.d/usr.lib.dovecot.director index b290b89d9..50f590131 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.director +++ b/profiles/apparmor.d/usr.lib.dovecot.director @@ -22,7 +22,7 @@ profile dovecot-director /usr/lib*/dovecot/director flags=(attach_disconnected) capability sys_chroot, /run/dovecot/login/proxy-notify rw, - /usr/lib*/dovecot/director mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.doveadm-server b/profiles/apparmor.d/usr.lib.dovecot.doveadm-server index f6e4edc56..72d146050 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.doveadm-server +++ b/profiles/apparmor.d/usr.lib.dovecot.doveadm-server @@ -17,7 +17,7 @@ profile dovecot-doveadm-server /usr/lib*/dovecot/doveadm-server flags=(attach_di include include - /usr/lib*/dovecot/doveadm-server mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth index b832532bc..f38d2af52 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth @@ -25,7 +25,7 @@ profile dovecot-dovecot-auth /usr/lib*/dovecot/dovecot-auth { capability dac_override, @{PROC}/@{pid}/mounts r, - /usr/lib*/dovecot/dovecot-auth mr, + @{exec_path} mr, @{run}/dovecot/** rw, # required for postfix+dovecot integration /var/spool/postfix/private/dovecot-auth w, diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda index 047b947de..b192b88fd 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda @@ -30,7 +30,7 @@ profile dovecot-dovecot-lda /usr/lib*/dovecot/dovecot-lda flags=(attach_disconne @{run}/dovecot/mounts r, @{run}/dovecot/auth-userdb rw, /usr/bin/doveconf mrix, - /usr/lib*/dovecot/dovecot-lda mrix, + @{exec_path} mrix, /usr/{bin,sbin}/sendmail Cx -> sendmail, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap b/profiles/apparmor.d/usr.lib.dovecot.imap index 07d70e0d8..33d02912b 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.imap +++ b/profiles/apparmor.d/usr.lib.dovecot.imap @@ -37,7 +37,7 @@ profile dovecot-imap /usr/lib*/dovecot/imap { @{PROC}/@{pid}/attr/{apparmor/,}current rw, @{PROC}/@{pid}/stat r, /usr/bin/doveconf rix, - /usr/lib*/dovecot/imap mrix, + @{exec_path} mrix, /usr/share/dovecot/** r, @{run}/dovecot/login/imap rw, @{run}/dovecot/auth-master rw, diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap-login b/profiles/apparmor.d/usr.lib.dovecot.imap-login index 7d6d9432c..a7481d698 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.imap-login +++ b/profiles/apparmor.d/usr.lib.dovecot.imap-login @@ -25,7 +25,7 @@ profile dovecot-imap-login /usr/lib*/dovecot/imap-login { network inet6 stream, network unix stream, - /usr/lib*/dovecot/imap-login mr, + @{exec_path} mr, @{run}/dovecot/anvil rw, @{run}/dovecot/login-master-notify* rw, @{run}/dovecot/login/ r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.lmtp b/profiles/apparmor.d/usr.lib.dovecot.lmtp index 075a81704..27488c039 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.lmtp +++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp @@ -34,7 +34,7 @@ profile dovecot-lmtp /usr/lib*/dovecot/lmtp { owner @{PROC}/@{pid}/stat r, @{PROC}/*/mounts r, /tmp/dovecot.lmtp.* rw, - /usr/lib*/dovecot/lmtp mr, + @{exec_path} mr, @{run}/dovecot/mounts r, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/usr.lib.dovecot.log b/profiles/apparmor.d/usr.lib.dovecot.log index bce2302e1..a92067ffc 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.log +++ b/profiles/apparmor.d/usr.lib.dovecot.log @@ -17,7 +17,7 @@ profile dovecot-log /usr/lib*/dovecot/log flags=(attach_disconnected) { include include - /usr/lib*/dovecot/log mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.managesieve b/profiles/apparmor.d/usr.lib.dovecot.managesieve index 489fd1e34..c1346a665 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.managesieve +++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve @@ -29,7 +29,7 @@ profile dovecot-managesieve /usr/lib*/dovecot/managesieve { /etc/dovecot/** r, /usr/bin/doveconf rix, - /usr/lib*/dovecot/managesieve mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login index 80393926d..aab19ab95 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login +++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login @@ -27,7 +27,7 @@ profile dovecot-managesieve-login /usr/lib*/dovecot/managesieve-login { network inet6 stream, network unix stream, - /usr/lib*/dovecot/managesieve-login mr, + @{exec_path} mr, @{run}/dovecot/login-master-notify* rw, @{run}/dovecot/login/ r, @{run}/dovecot/login/* rw, diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3 b/profiles/apparmor.d/usr.lib.dovecot.pop3 index b46db8cf4..cd32fb2c2 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.pop3 +++ b/profiles/apparmor.d/usr.lib.dovecot.pop3 @@ -27,8 +27,8 @@ profile dovecot-pop3 /usr/lib*/dovecot/pop3 { @{HOME} r, # ??? @{PROC}/@{pid}/stat r, - /usr/lib*/dovecot/pop3 mr, - + @{exec_path} mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3-login b/profiles/apparmor.d/usr.lib.dovecot.pop3-login index 348a16769..7125a93f0 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.pop3-login +++ b/profiles/apparmor.d/usr.lib.dovecot.pop3-login @@ -25,7 +25,7 @@ profile dovecot-pop3-login /usr/lib*/dovecot/pop3-login { network inet6 stream, network unix stream, - /usr/lib*/dovecot/pop3-login mr, + @{exec_path} mr, @{run}/dovecot/anvil rw, @{run}/dovecot/login-master-notify* rw, @{run}/dovecot/login/ r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.replicator b/profiles/apparmor.d/usr.lib.dovecot.replicator index b133e40a9..ba396f1d4 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.replicator +++ b/profiles/apparmor.d/usr.lib.dovecot.replicator @@ -27,7 +27,7 @@ profile dovecot-replicator /usr/lib*/dovecot/replicator { /etc/dovecot/conf.d/ r, /etc/dovecot/conf.d/** r, /etc/dovecot/dovecot.conf r, - /usr/lib*/dovecot/replicator mr, + @{exec_path} mr, /usr/share/dovecot/** r, /{,var/}run/dovecot/auth-master rw, @{DOVECOT_MAILSTORE}/ rw, diff --git a/profiles/apparmor.d/usr.lib.dovecot.script-login b/profiles/apparmor.d/usr.lib.dovecot.script-login index fed1baae6..5f72948d1 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.script-login +++ b/profiles/apparmor.d/usr.lib.dovecot.script-login @@ -21,7 +21,7 @@ profile dovecot-script-login /usr/lib*/dovecot/script-login { capability setuid, - /usr/lib*/dovecot/script-login mrPx, + @{exec_path} mrPx, # NOTE: You'll need to allow execution of your actual login script. # The recommended way is to add a rule for it in local/usr.lib.dovecot.script-login diff --git a/profiles/apparmor.d/usr.lib.dovecot.ssl-params b/profiles/apparmor.d/usr.lib.dovecot.ssl-params index 5f525238b..8a9cf4b7e 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.ssl-params +++ b/profiles/apparmor.d/usr.lib.dovecot.ssl-params @@ -19,7 +19,7 @@ profile dovecot-ssl-params /usr/lib*/dovecot/ssl-params { @{run}/dovecot/ssl-params rw, @{run}/dovecot/login/ssl-params rw, - /usr/lib*/dovecot/ssl-params mr, + @{exec_path} mr, /var/lib/dovecot/ssl-parameters.dat rw, /var/lib/dovecot/ssl-parameters.dat.tmp rwk, diff --git a/profiles/apparmor.d/usr.lib.dovecot.stats b/profiles/apparmor.d/usr.lib.dovecot.stats index 4c30994ab..88c6469de 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.stats +++ b/profiles/apparmor.d/usr.lib.dovecot.stats @@ -24,7 +24,7 @@ profile dovecot-stats /usr/lib*/dovecot/stats { network inet stream, network inet6 stream, - /usr/lib*/dovecot/stats mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.sbin.apache2 b/profiles/apparmor.d/usr.sbin.apache2 index 17841715c..508f8205e 100644 --- a/profiles/apparmor.d/usr.sbin.apache2 +++ b/profiles/apparmor.d/usr.sbin.apache2 @@ -84,6 +84,7 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) { / rw, /** mrwlkix, + @{exec_path} mrix, ^DEFAULT_URI flags=(attach_disconnected) { diff --git a/profiles/apparmor.d/usr.sbin.avahi-daemon b/profiles/apparmor.d/usr.sbin.avahi-daemon index fe713efde..85986c0ca 100644 --- a/profiles/apparmor.d/usr.sbin.avahi-daemon +++ b/profiles/apparmor.d/usr.sbin.avahi-daemon @@ -25,7 +25,7 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(attach_disconnected) { @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - /usr/{bin,sbin}/avahi-daemon mr, + @{exec_path} mr, /usr/share/avahi/introspection/*.introspect r, /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, @{run}/avahi-daemon/ w, diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq index f0cc01373..3aaf75e64 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -51,7 +51,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { /etc/dnsmasq-conf.conf r, /etc/dnsmasq-resolv.conf r, - /usr/{bin,sbin}/dnsmasq mr, + @{exec_path} mr, /var/log/dnsmasq*.log w, diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot index 4c93b4406..246a43b59 100644 --- a/profiles/apparmor.d/usr.sbin.dovecot +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -67,7 +67,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) { /usr/lib*/dovecot/ssl-build-param rix, /usr/lib*/dovecot/ssl-params mrPx, /usr/lib*/dovecot/stats Px, - /usr/{bin,sbin}/dovecot mrix, + @{exec_path} mrix, /usr/share/dovecot/dh.pem r, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, diff --git a/profiles/apparmor.d/usr.sbin.identd b/profiles/apparmor.d/usr.sbin.identd index f4f7d580c..ab0467aef 100644 --- a/profiles/apparmor.d/usr.sbin.identd +++ b/profiles/apparmor.d/usr.sbin.identd @@ -23,7 +23,7 @@ profile identd /usr/{bin,sbin}/identd { /etc/identd.conf r, /etc/identd.key r, /etc/identd.pid w, - /usr/{bin,sbin}/identd rmix, + @{exec_path} mrix, @{PROC}/net/tcp r, @{PROC}/net/tcp6 r, @{run}/identd.pid w, diff --git a/profiles/apparmor.d/usr.sbin.mdnsd b/profiles/apparmor.d/usr.sbin.mdnsd index ff093bb71..8c2f75831 100644 --- a/profiles/apparmor.d/usr.sbin.mdnsd +++ b/profiles/apparmor.d/usr.sbin.mdnsd @@ -26,7 +26,7 @@ profile mdnsd /usr/{bin,sbin}/mdnsd { network netlink dgram, - /usr/{bin,sbin}/mdnsd rmix, + @{exec_path} mrix, @{PROC}/net/ r, @{PROC}/net/unix r, diff --git a/profiles/apparmor.d/usr.sbin.nmbd b/profiles/apparmor.d/usr.sbin.nmbd index cee04e7e2..02efceebf 100644 --- a/profiles/apparmor.d/usr.sbin.nmbd +++ b/profiles/apparmor.d/usr.sbin.nmbd @@ -12,7 +12,7 @@ profile nmbd /usr/{bin,sbin}/nmbd { @{PROC}/sys/kernel/core_pattern r, - /usr/{bin,sbin}/nmbd mr, + @{exec_path} mr, /var/{cache,lib}/samba/browse.dat* rw, /var/{cache,lib}/samba/gencache.dat rw, diff --git a/profiles/apparmor.d/usr.sbin.nscd b/profiles/apparmor.d/usr.sbin.nscd index 34aa13fc6..35f9db4d3 100644 --- a/profiles/apparmor.d/usr.sbin.nscd +++ b/profiles/apparmor.d/usr.sbin.nscd @@ -26,7 +26,7 @@ profile nscd /usr/{bin,sbin}/nscd { /etc/machine-id r, /etc/netgroup r, /etc/nscd.conf r, - /usr/{bin,sbin}/nscd rmix, + @{exec_path} mrix, @{run}/.nscd_socket wl, @{run}/nscd/ rw, @{run}/nscd/db* rwl, diff --git a/profiles/apparmor.d/usr.sbin.ntpd b/profiles/apparmor.d/usr.sbin.ntpd index 774038a73..da2006e30 100644 --- a/profiles/apparmor.d/usr.sbin.ntpd +++ b/profiles/apparmor.d/usr.sbin.ntpd @@ -42,7 +42,7 @@ profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) { /tmp/ntp* rwl, /{usr/,usr/local/,}{s,}bin/ r, - /usr/{bin,sbin}/{,open}ntpd rmix, + @{exec_path} mrix, /var/db/ r, /var/db/ntpd.drift rwl, /var/lib/ntp/drift rwl, diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd index 149743eed..6bee4eb55 100644 --- a/profiles/apparmor.d/usr.sbin.smbd +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -45,7 +45,7 @@ profile smbd /usr/{bin,sbin}/smbd { /usr/lib/@{multiarch}/samba/**/ r, /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, /usr/share/samba/** r, - /usr/{bin,sbin}/smbd mr, + @{exec_path} mr, /usr/{bin,sbin}/smbldap-useradd Px, /var/cache/samba/** rwk, /var/{cache,lib}/samba/printing/printers.tdb mrw, diff --git a/profiles/apparmor.d/usr.sbin.smbldap-useradd b/profiles/apparmor.d/usr.sbin.smbldap-useradd index 395656210..285280360 100644 --- a/profiles/apparmor.d/usr.sbin.smbldap-useradd +++ b/profiles/apparmor.d/usr.sbin.smbldap-useradd @@ -16,7 +16,7 @@ profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd { /etc/shadow r, /etc/smbldap-tools/smbldap.conf r, /etc/smbldap-tools/smbldap_bind.conf r, - /usr/{bin,sbin}/smbldap-useradd r, + @{exec_path} r, /usr/{bin,sbin}/smbldap_tools.pm r, /var/log/samba/log.smbd w, diff --git a/profiles/apparmor.d/usr.sbin.traceroute b/profiles/apparmor.d/usr.sbin.traceroute index d3c885b29..65bee4174 100644 --- a/profiles/apparmor.d/usr.sbin.traceroute +++ b/profiles/apparmor.d/usr.sbin.traceroute @@ -23,7 +23,7 @@ profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/tracerou network inet raw, network inet6 raw, - /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix, + @{exec_path} mrix, @{PROC}/net/route r, @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd index 9283dfa15..b8f0dbe59 100644 --- a/profiles/apparmor.d/usr.sbin.winbindd +++ b/profiles/apparmor.d/usr.sbin.winbindd @@ -28,7 +28,7 @@ profile winbindd /usr/{bin,sbin}/winbindd { /usr/lib*/samba/nss_info/*.so mr, /usr/lib*/samba/pdb/*.so mr, /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd, - /usr/{bin,sbin}/winbindd mr, + @{exec_path} mr, /var/cache/krb5rcache/* rwk, /var/lib/sss/pubconf/kdcinfo.* r, /var/log/samba/log.winbindd rw, diff --git a/profiles/apparmor.d/uwsgi-core b/profiles/apparmor.d/uwsgi-core index 0ffcca5f8..a4d865e7b 100644 --- a/profiles/apparmor.d/uwsgi-core +++ b/profiles/apparmor.d/uwsgi-core @@ -6,6 +6,7 @@ include profile uwsgi-core /usr/bin/uwsgi-core flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/vdens b/profiles/apparmor.d/vdens index 643b29547..6eb750d64 100644 --- a/profiles/apparmor.d/vdens +++ b/profiles/apparmor.d/vdens @@ -6,6 +6,7 @@ include profile vdens /usr/bin/vdens flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/virtiofsd b/profiles/apparmor.d/virtiofsd index 380a840de..e4567b7d8 100644 --- a/profiles/apparmor.d/virtiofsd +++ b/profiles/apparmor.d/virtiofsd @@ -6,6 +6,7 @@ include profile virtiofsd /usr/libexec/virtiofsd flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/vivaldi-bin b/profiles/apparmor.d/vivaldi-bin index 200c567dd..913c2fd0d 100644 --- a/profiles/apparmor.d/vivaldi-bin +++ b/profiles/apparmor.d/vivaldi-bin @@ -6,6 +6,7 @@ include profile vivaldi-bin /opt/vivaldi/vivaldi-bin flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/vpnns b/profiles/apparmor.d/vpnns index 8fea23718..53f228a51 100644 --- a/profiles/apparmor.d/vpnns +++ b/profiles/apparmor.d/vpnns @@ -6,6 +6,7 @@ include profile vpnns /usr/bin/vpnns flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/vrrpd b/profiles/apparmor.d/vrrpd index 82f277ba4..e11ae072f 100644 --- a/profiles/apparmor.d/vrrpd +++ b/profiles/apparmor.d/vrrpd @@ -17,7 +17,7 @@ profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) { include include - /usr/lib/frr/vrrpd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/wg b/profiles/apparmor.d/wg index 00c40a53d..9a26a6a94 100644 --- a/profiles/apparmor.d/wg +++ b/profiles/apparmor.d/wg @@ -27,7 +27,7 @@ profile wg /usr/bin/wg flags=(attach_disconnected){ # wireguard configuration and key files file rw @{etc_rw}/wireguard/{,**}, - file mr /usr/bin/wg, + mr @{exec_path}, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/wg-quick b/profiles/apparmor.d/wg-quick index 629409f60..fe9ec84c5 100644 --- a/profiles/apparmor.d/wg-quick +++ b/profiles/apparmor.d/wg-quick @@ -104,7 +104,7 @@ profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) { file rw @{etc_rw}/wireguard/{,**}, # Allow executable mapping and read for the binary - file mr /usr/bin/wg-quick, + file mr @{exec_path}, # Process-specific access file r @{PROC}/@{pid}/net/ip_tables_names, diff --git a/profiles/apparmor.d/wike b/profiles/apparmor.d/wike index 5abb25399..34a115c17 100644 --- a/profiles/apparmor.d/wike +++ b/profiles/apparmor.d/wike @@ -6,6 +6,7 @@ include profile wike /usr/bin/wike flags=(unconfined) { userns, + mr @{exec_path}, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/wpa_supplicant b/profiles/apparmor.d/wpa_supplicant index 10640d924..4cad16294 100644 --- a/profiles/apparmor.d/wpa_supplicant +++ b/profiles/apparmor.d/wpa_supplicant @@ -113,7 +113,7 @@ profile wpa_supplicant /usr/sbin/wpa_supplicant { member={ReleaseName,RequestName} peer=(name=org.freedesktop.DBus), - /usr/sbin/wpa_supplicant mr, + @{exec_path} mr, owner /dev/rfkill r, owner /etc/group r, diff --git a/profiles/apparmor.d/wpcom b/profiles/apparmor.d/wpcom index 301f37b80..478113657 100644 --- a/profiles/apparmor.d/wpcom +++ b/profiles/apparmor.d/wpcom @@ -6,6 +6,7 @@ include profile wpcom /opt/WordPress.com/wpcom flags=(unconfined) { userns, + mr @{exec_path}, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/zgrep b/profiles/apparmor.d/zgrep index b37e3ff70..c6d069776 100644 --- a/profiles/apparmor.d/zgrep +++ b/profiles/apparmor.d/zgrep @@ -34,7 +34,7 @@ profile zgrep /usr/bin/{x,}zgrep { /usr/bin/zgrep Cx -> helper, /usr/bin/zstd Cx -> helper, owner /tmp/zgrep* rw, - /usr/bin/{x,}zgrep r, + @{exec_path} r, deny /etc/nsswitch.conf r, deny /etc/passwd r, diff --git a/profiles/apparmor.d/znc b/profiles/apparmor.d/znc index c33f0518d..4f670fd39 100644 --- a/profiles/apparmor.d/znc +++ b/profiles/apparmor.d/znc @@ -13,7 +13,7 @@ profile znc /usr/bin/znc { network tcp, - /usr/bin/znc mr, + @{exec_path} mr, @{system_share_dirs}/znc/** r, diff --git a/profiles/apparmor/profiles/extras/bin.netstat b/profiles/apparmor/profiles/extras/bin.netstat index 614879cdb..7f5151007 100644 --- a/profiles/apparmor/profiles/extras/bin.netstat +++ b/profiles/apparmor/profiles/extras/bin.netstat @@ -28,7 +28,8 @@ profile netstat /{usr/,}bin/netstat { ptrace (read), - /{usr/,}bin/netstat rmix, + @{exec_path} mr, + /etc/networks r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/profiles/apparmor/profiles/extras/chromium_browser b/profiles/apparmor/profiles/extras/chromium_browser index 532d9366b..b66582e18 100644 --- a/profiles/apparmor/profiles/extras/chromium_browser +++ b/profiles/apparmor/profiles/extras/chromium_browser @@ -256,7 +256,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne owner @{HOME}/.config/chromium/WidevineCdm/*/_platform_specific/*/libwidevinecdm.so mr, # Allow transitions to ourself, our sandbox, and crash handler - /usr/lib/@{chromium}/@{chromium} ix, + @{exec_path} mrix, /usr/lib/@{chromium}/chrome-sandbox cx -> sandbox, /usr/lib/@{chromium}/chrome_crashpad_handler Cxr -> crashpad_handler, diff --git a/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate b/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate index e83d61f78..ed1a0241a 100644 --- a/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate +++ b/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate @@ -39,7 +39,7 @@ include /usr/bin/head mrix, /usr/bin/killall mixr, /usr/sbin/invoke-rc.d mrix, - /usr/sbin/logrotate mixr, + @{exec_path} mrix, ## see https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html /{usr/,}sbin/initctl Ux, diff --git a/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron b/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron index 0131fbb30..c3ef83464 100644 --- a/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron +++ b/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron @@ -20,7 +20,7 @@ include include /{usr/,}bin/bash mixr, /dev/tty wr , - /etc/cron.daily/slocate.cron r , + @{exec_path} r, /etc/mtab r , /usr/bin/slocate mixr, /usr/bin/renice mixr, diff --git a/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch b/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch index 833c0cca5..1a558ea5a 100644 --- a/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch +++ b/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch @@ -14,7 +14,7 @@ include /etc/cron.daily/tmpwatch { include - /etc/cron.daily/tmpwatch r, + @{exec_path} r, /tmp r, /tmp/** rwl, /usr/sbin/tmpwatch mixr, diff --git a/profiles/apparmor/profiles/extras/firefox b/profiles/apparmor/profiles/extras/firefox index 507c627f7..8b7ba2bee 100644 --- a/profiles/apparmor/profiles/extras/firefox +++ b/profiles/apparmor/profiles/extras/firefox @@ -110,7 +110,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} { member=GetAll peer=(label=unconfined), - @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} mr, + @{exec_path} mr, # should maybe be in abstractions /etc/ r, diff --git a/profiles/apparmor/profiles/extras/firefox.sh b/profiles/apparmor/profiles/extras/firefox.sh index bb7efa836..7ddd52b20 100644 --- a/profiles/apparmor/profiles/extras/firefox.sh +++ b/profiles/apparmor/profiles/extras/firefox.sh @@ -11,7 +11,7 @@ profile firefox.sh /usr/lib/firefox/firefox.sh { deny capability sys_ptrace, - /usr/lib/firefox/firefox.sh mr, + @{exec_path} r, /{usr/,}bin/basename rix, /{usr/,}bin/bash rix, diff --git a/profiles/apparmor/profiles/extras/postfix-anvil b/profiles/apparmor/profiles/extras/postfix-anvil index e29127b27..aca9da3f7 100644 --- a/profiles/apparmor/profiles/extras/postfix-anvil +++ b/profiles/apparmor/profiles/extras/postfix-anvil @@ -18,7 +18,7 @@ profile postfix-anvil /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil mrix, + @{exec_path} mrix, /etc/postfix/main.cf r, /{var/spool/postfix/,}private/anvil rw, diff --git a/profiles/apparmor/profiles/extras/postfix-bounce b/profiles/apparmor/profiles/extras/postfix-bounce index 93cda1f0d..b60a18187 100644 --- a/profiles/apparmor/profiles/extras/postfix-bounce +++ b/profiles/apparmor/profiles/extras/postfix-bounce @@ -19,7 +19,7 @@ profile postfix-bounce /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwkl, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-cleanup b/profiles/apparmor/profiles/extras/postfix-cleanup index ac802ef29..c7d313099 100644 --- a/profiles/apparmor/profiles/extras/postfix-cleanup +++ b/profiles/apparmor/profiles/extras/postfix-cleanup @@ -22,7 +22,7 @@ profile postfix-cleanup /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup { capability net_bind_service, capability dac_read_search, - /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup mrix, + @{exec_path} mrix, /{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-discard b/profiles/apparmor/profiles/extras/postfix-discard index 8899f4e5a..bfd74aca7 100644 --- a/profiles/apparmor/profiles/extras/postfix-discard +++ b/profiles/apparmor/profiles/extras/postfix-discard @@ -17,7 +17,7 @@ include profile postfix-discard /usr/lib{,exec}/postfix/{bin/,sbin/,}discard { include - /usr/lib{,exec}/postfix/{bin/,sbin/,}discard mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-dnsblog b/profiles/apparmor/profiles/extras/postfix-dnsblog index a889dc3f2..4992544b3 100644 --- a/profiles/apparmor/profiles/extras/postfix-dnsblog +++ b/profiles/apparmor/profiles/extras/postfix-dnsblog @@ -16,7 +16,7 @@ include profile postfix-dnsblog /usr/lib{,exec}/postfix/{bin/,sbin/,}dnsblog { include - /usr/lib{,exec}/postfix/{bin/,sbin/,}dnsblog mrix, + @{exec_path} mrix, /var/spool/postfix/private/dnsblog rw, diff --git a/profiles/apparmor/profiles/extras/postfix-error b/profiles/apparmor/profiles/extras/postfix-error index 609a23b3a..33b59188e 100644 --- a/profiles/apparmor/profiles/extras/postfix-error +++ b/profiles/apparmor/profiles/extras/postfix-error @@ -19,7 +19,7 @@ profile postfix-error /usr/lib{,exec}/postfix/{bin/,sbin/,}error { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}error mrix, + @{exec_path} mrix, owner /var/spool/postfix/active/* rwk, /var/spool/postfix/pid/unix.error rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-flush b/profiles/apparmor/profiles/extras/postfix-flush index 6080dc559..61a566f04 100644 --- a/profiles/apparmor/profiles/extras/postfix-flush +++ b/profiles/apparmor/profiles/extras/postfix-flush @@ -19,7 +19,7 @@ profile postfix-flush /usr/lib{,exec}/postfix/{bin/,sbin/,}flush { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}flush mrix, + @{exec_path} mrix, /{var/spool/postfix/,}deferred/ r, /{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-lmtp b/profiles/apparmor/profiles/extras/postfix-lmtp index 0dc6bf949..0b5985057 100644 --- a/profiles/apparmor/profiles/extras/postfix-lmtp +++ b/profiles/apparmor/profiles/extras/postfix-lmtp @@ -19,7 +19,7 @@ profile postfix-lmtp /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp mrix, + @{exec_path} mrix, /var/spool/postfix/active/* rwk, /var/spool/postfix/pid/unix.lmtp rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-local b/profiles/apparmor/profiles/extras/postfix-local index 145961783..d7aab028d 100644 --- a/profiles/apparmor/profiles/extras/postfix-local +++ b/profiles/apparmor/profiles/extras/postfix-local @@ -27,7 +27,7 @@ profile postfix-local /usr/lib{,exec}/postfix/{bin/,sbin/,}local { /var/mailman/mail/wrapper Px, /usr/bin/mlmmj-recieve Px, - /usr/lib{,exec}/postfix/{bin/,sbin/,}local mrix, + @{exec_path} mrix, /{usr/,}bin/bash mixr, /{usr/,}bin/date mixr, diff --git a/profiles/apparmor/profiles/extras/postfix-master b/profiles/apparmor/profiles/extras/postfix-master index 6d8e7856d..127122f1d 100644 --- a/profiles/apparmor/profiles/extras/postfix-master +++ b/profiles/apparmor/profiles/extras/postfix-master @@ -37,6 +37,7 @@ profile postfix-master /usr/lib{,exec}/postfix/{bin/,sbin/,}master { /{var/spool/postfix/,}private/tlsmgr rwl, /{var/spool/postfix/,}public/{cleanup,flush,pickup,postlog,qmgr,showq,tlsmgr} rwl, + @{exec_path} mrix, /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup Px, @@ -44,7 +45,6 @@ profile postfix-master /usr/lib{,exec}/postfix/{bin/,sbin/,}master { /usr/lib{,exec}/postfix/{bin/,sbin/,}flush Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}local Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp mrPx, - /usr/lib{,exec}/postfix/{bin/,sbin/,}master mrix, /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup Px, diff --git a/profiles/apparmor/profiles/extras/postfix-nqmgr b/profiles/apparmor/profiles/extras/postfix-nqmgr index e537e1155..1d20ed49f 100644 --- a/profiles/apparmor/profiles/extras/postfix-nqmgr +++ b/profiles/apparmor/profiles/extras/postfix-nqmgr @@ -18,7 +18,7 @@ profile postfix-nqmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/ r, diff --git a/profiles/apparmor/profiles/extras/postfix-oqmgr b/profiles/apparmor/profiles/extras/postfix-oqmgr index c13e6149e..f7d870115 100644 --- a/profiles/apparmor/profiles/extras/postfix-oqmgr +++ b/profiles/apparmor/profiles/extras/postfix-oqmgr @@ -19,7 +19,7 @@ profile postfix-oqmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}oqmgr { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}oqmgr mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-pickup b/profiles/apparmor/profiles/extras/postfix-pickup index a0cba743e..fc8de5d48 100644 --- a/profiles/apparmor/profiles/extras/postfix-pickup +++ b/profiles/apparmor/profiles/extras/postfix-pickup @@ -18,7 +18,7 @@ profile postfix-pickup /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup mrix, + @{exec_path} mrix, /{var/spool/postfix/,}public/cleanup rw, /{var/spool/postfix/,}public/pickup r, diff --git a/profiles/apparmor/profiles/extras/postfix-pipe b/profiles/apparmor/profiles/extras/postfix-pipe index dc4944ba1..465ddd214 100644 --- a/profiles/apparmor/profiles/extras/postfix-pipe +++ b/profiles/apparmor/profiles/extras/postfix-pipe @@ -19,7 +19,7 @@ profile postfix-pipe /usr/lib{,exec}/postfix/{bin/,sbin/,}pipe { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}pipe mrix, + @{exec_path} mrix, /var/spool/postfix/active/* rwk, /var/spool/postfix/private/bounce w, diff --git a/profiles/apparmor/profiles/extras/postfix-postscreen b/profiles/apparmor/profiles/extras/postfix-postscreen index b11bd8fc0..0ced312d4 100644 --- a/profiles/apparmor/profiles/extras/postfix-postscreen +++ b/profiles/apparmor/profiles/extras/postfix-postscreen @@ -17,7 +17,7 @@ profile postfix-postscreen /usr/lib{,exec}/postfix/{bin/,sbin/,}postscreen { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}postscreen mrix, + @{exec_path} mrix, owner /var/lib/postfix/{,__db.}postscreen_cache.db rwk, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/postfix-proxymap b/profiles/apparmor/profiles/extras/postfix-proxymap index e41e2f472..7ed149de0 100644 --- a/profiles/apparmor/profiles/extras/postfix-proxymap +++ b/profiles/apparmor/profiles/extras/postfix-proxymap @@ -20,7 +20,7 @@ profile postfix-proxymap /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap { include /etc/my.cnf r, - /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap mrix, + @{exec_path} mrix, /{var/spool/postfix/,}private/proxymap rw, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/postfix-qmgr b/profiles/apparmor/profiles/extras/postfix-qmgr index 336200409..f304e1e55 100644 --- a/profiles/apparmor/profiles/extras/postfix-qmgr +++ b/profiles/apparmor/profiles/extras/postfix-qmgr @@ -18,7 +18,7 @@ profile postfix-qmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}qmgr { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}qmgr mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-qmqpd b/profiles/apparmor/profiles/extras/postfix-qmqpd index 6b9ef9258..9f6702c02 100644 --- a/profiles/apparmor/profiles/extras/postfix-qmqpd +++ b/profiles/apparmor/profiles/extras/postfix-qmqpd @@ -18,7 +18,7 @@ profile postfix-qmqpd /usr/lib{,exec}/postfix/{bin/,sbin/,}qmqpd { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}qmqpd mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-scache b/profiles/apparmor/profiles/extras/postfix-scache index 3cf62011f..519d3b342 100644 --- a/profiles/apparmor/profiles/extras/postfix-scache +++ b/profiles/apparmor/profiles/extras/postfix-scache @@ -20,7 +20,7 @@ profile postfix-scache /usr/lib{,exec}/postfix/{bin/,sbin/,}scache { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}scache mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-showq b/profiles/apparmor/profiles/extras/postfix-showq index bcfddd435..335c82af3 100644 --- a/profiles/apparmor/profiles/extras/postfix-showq +++ b/profiles/apparmor/profiles/extras/postfix-showq @@ -19,7 +19,7 @@ profile postfix-showq /usr/lib{,exec}/postfix/{bin/,sbin/,}showq { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}showq mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* r, diff --git a/profiles/apparmor/profiles/extras/postfix-smtp b/profiles/apparmor/profiles/extras/postfix-smtp index dbef2c9e7..de06ddc9e 100644 --- a/profiles/apparmor/profiles/extras/postfix-smtp +++ b/profiles/apparmor/profiles/extras/postfix-smtp @@ -23,7 +23,7 @@ profile postfix-smtp /usr/lib{,exec}/postfix/{bin/,sbin/,}smtp { capability dac_read_search, capability net_bind_service, - /usr/lib{,exec}/postfix/{bin/,sbin/,}smtp mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-smtpd b/profiles/apparmor/profiles/extras/postfix-smtpd index ca7e57072..eeea89777 100644 --- a/profiles/apparmor/profiles/extras/postfix-smtpd +++ b/profiles/apparmor/profiles/extras/postfix-smtpd @@ -24,7 +24,7 @@ profile postfix-smtpd /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd { capability dac_override, capability dac_read_search, - /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd mrix, + @{exec_path} mrix, /usr/sbin/postdrop rPx, /dev/urandom r, diff --git a/profiles/apparmor/profiles/extras/postfix-spawn b/profiles/apparmor/profiles/extras/postfix-spawn index 0f44e28f8..b4fb53c07 100644 --- a/profiles/apparmor/profiles/extras/postfix-spawn +++ b/profiles/apparmor/profiles/extras/postfix-spawn @@ -18,7 +18,7 @@ profile postfix-spawn /usr/lib{,exec}/postfix/{bin/,sbin/,}spawn { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}spawn mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-tlsmgr b/profiles/apparmor/profiles/extras/postfix-tlsmgr index 9b23d1d95..304af2b33 100644 --- a/profiles/apparmor/profiles/extras/postfix-tlsmgr +++ b/profiles/apparmor/profiles/extras/postfix-tlsmgr @@ -19,7 +19,7 @@ profile postfix-tlsmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsmgr { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsmgr mrix, + @{exec_path} mrix, /var/spool/postfix/dev/urandom r, /{etc,var/lib}/postfix/prng_exch rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-tlsproxy b/profiles/apparmor/profiles/extras/postfix-tlsproxy index 2f94edb17..60207de56 100644 --- a/profiles/apparmor/profiles/extras/postfix-tlsproxy +++ b/profiles/apparmor/profiles/extras/postfix-tlsproxy @@ -20,7 +20,7 @@ profile postfix-tlsproxy /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsproxy { capability dac_read_search, - /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsproxy mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-trivial-rewrite b/profiles/apparmor/profiles/extras/postfix-trivial-rewrite index c6ec25b7b..42f726147 100644 --- a/profiles/apparmor/profiles/extras/postfix-trivial-rewrite +++ b/profiles/apparmor/profiles/extras/postfix-trivial-rewrite @@ -21,7 +21,7 @@ profile postfix-trivial-rewrite /usr/lib{,exec}/postfix/{bin/,sbin/,}trivial-rew capability dac_read_search, - /usr/lib{,exec}/postfix/{bin/,sbin/,}trivial-rewrite mrix, + @{exec_path} mrix, /etc/{m,fs}tab r, /var/spool/postfix/pid/unix.rewrite rw, diff --git a/profiles/apparmor/profiles/extras/postfix-verify b/profiles/apparmor/profiles/extras/postfix-verify index 4b4a33721..c9502b80c 100644 --- a/profiles/apparmor/profiles/extras/postfix-verify +++ b/profiles/apparmor/profiles/extras/postfix-verify @@ -18,7 +18,7 @@ profile postfix-verify /usr/lib{,exec}/postfix/{bin/,sbin/,}verify { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}verify mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-virtual b/profiles/apparmor/profiles/extras/postfix-virtual index b42df4ce4..fb798d009 100644 --- a/profiles/apparmor/profiles/extras/postfix-virtual +++ b/profiles/apparmor/profiles/extras/postfix-virtual @@ -18,7 +18,7 @@ profile postfix-virtual /usr/lib{,exec}/postfix/{bin/,sbin/,}virtual { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}virtual mrix, + @{exec_path} mrix, /var/spool/postfix/active/* rw, /var/spool/postfix/pid/unix.virtual rw, diff --git a/profiles/apparmor/profiles/extras/rpcbind b/profiles/apparmor/profiles/extras/rpcbind index 52339df6e..0fc8daa91 100644 --- a/profiles/apparmor/profiles/extras/rpcbind +++ b/profiles/apparmor/profiles/extras/rpcbind @@ -20,7 +20,7 @@ profile rpcbind /{usr/,}sbin/rpcbind { /etc/default/rpcbind r, /etc/netconfig r, /etc/rpcbind.conf r, - /{usr/,}sbin/rpcbind mrix, + @{exec_path} mrix, @{run}/rpcbind.lock rwk, @{run}/rpcbind.sock rwk, @{run}/rpcbind/portmap.xdr rw, diff --git a/profiles/apparmor/profiles/extras/sbin.dhclient b/profiles/apparmor/profiles/extras/sbin.dhclient index 285c07e8b..bb67da45c 100644 --- a/profiles/apparmor/profiles/extras/sbin.dhclient +++ b/profiles/apparmor/profiles/extras/sbin.dhclient @@ -35,7 +35,7 @@ profile dhclient /{usr/,}sbin/dhclient { signal (send,receive) set=(term) peer=NetworkManager, - /{usr/,}sbin/dhclient mrix, + @{exec_path} mrix, /{usr/,}bin/bash mrix, /{usr/,}bin/df mrix, diff --git a/profiles/apparmor/profiles/extras/sbin.dhclient-script b/profiles/apparmor/profiles/extras/sbin.dhclient-script index a73809e87..d24c51fc3 100644 --- a/profiles/apparmor/profiles/extras/sbin.dhclient-script +++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script @@ -23,7 +23,7 @@ profile dhclient-script /{usr/,}sbin/dhclient-script { /etc/netconfig.d/* mrix, /etc/sysconfig/network/** r, /etc/dhcp/{**,} r, - /{usr/,}sbin/dhclient-script r, + @{exec_path} r, /{usr/,}sbin/ip rix, /{usr/,}sbin/resolvconf rPUx, diff --git a/profiles/apparmor/profiles/extras/sbin.dhcpcd b/profiles/apparmor/profiles/extras/sbin.dhcpcd index 3d8e7d924..8f33c0c79 100644 --- a/profiles/apparmor/profiles/extras/sbin.dhcpcd +++ b/profiles/apparmor/profiles/extras/sbin.dhcpcd @@ -37,7 +37,7 @@ profile dhcpcd /{usr/,}sbin/dhcpcd { /etc/ntp.conf{,.sv} rwl, /etc/sysconfig/network/scripts/dhcpcd-hook rmix, /etc/yp.conf{,.sv} rwl, - /{usr/,}sbin/dhcpcd rmix, + @{exec_path} mrix, /{usr/,}sbin/ifup Ux, # fixme /{usr/,}sbin/modify_resolvconf rmix, /var/lib/dhcpcd/dhcpcd-*.cache rw, diff --git a/profiles/apparmor/profiles/extras/sbin.portmap b/profiles/apparmor/profiles/extras/sbin.portmap index e2783fd3f..228f601ce 100644 --- a/profiles/apparmor/profiles/extras/sbin.portmap +++ b/profiles/apparmor/profiles/extras/sbin.portmap @@ -22,7 +22,7 @@ profile portmap /{usr/,}sbin/portmap { capability setgid, /etc/bindresvport.blacklist r, - /{usr/,}sbin/portmap rmix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/sbin.resmgrd b/profiles/apparmor/profiles/extras/sbin.resmgrd index ba825eb46..27f125ca3 100644 --- a/profiles/apparmor/profiles/extras/sbin.resmgrd +++ b/profiles/apparmor/profiles/extras/sbin.resmgrd @@ -25,7 +25,7 @@ profile resmgrd /{usr/,}sbin/resmgrd { /etc/resmgr.conf r, /etc/resmgr.conf.d/ r, /etc/resmgr.conf.d/*.conf r, - /{usr/,}sbin/resmgrd r, + @{exec_path} r, /{,var/}run/.resmgr_socket lrw, /{,var/}run/resmgr.pid lrw, /{,var/}run/fence* lrw, diff --git a/profiles/apparmor/profiles/extras/sbin.rpc.lockd b/profiles/apparmor/profiles/extras/sbin.rpc.lockd index 772e12551..f22c180fa 100644 --- a/profiles/apparmor/profiles/extras/sbin.rpc.lockd +++ b/profiles/apparmor/profiles/extras/sbin.rpc.lockd @@ -14,7 +14,7 @@ include profile rpc.lockd /{usr/,}sbin/rpc.lockd { include - /{usr/,}sbin/rpc.lockd rmix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/sbin.rpc.statd b/profiles/apparmor/profiles/extras/sbin.rpc.statd index 42ba0ce29..eb61239eb 100644 --- a/profiles/apparmor/profiles/extras/sbin.rpc.statd +++ b/profiles/apparmor/profiles/extras/sbin.rpc.statd @@ -37,7 +37,7 @@ profile rpc.statd /{usr/,}sbin/rpc.statd { /etc/nfs.conf.d/ r, /etc/nfs.conf.d/* rk, /etc/rpc r, - /{usr/,}sbin/rpc.statd mrix, + @{exec_path} mrix, /{usr/,}sbin/sm-notify mrix, /var/lib/nfs/sm/ r, /var/lib/nfs/sm/* rw, diff --git a/profiles/apparmor/profiles/extras/socat b/profiles/apparmor/profiles/extras/socat index 2baf38c00..ad9f43e30 100644 --- a/profiles/apparmor/profiles/extras/socat +++ b/profiles/apparmor/profiles/extras/socat @@ -35,7 +35,7 @@ profile socat /usr/bin/socat { network, # Allow executable mapping and read for the binary - file mr /usr/bin/socat, + mr @{exec_path}, # Enable /dev/ptmx access for testsuite # file rw /dev/ptmx, diff --git a/profiles/apparmor/profiles/extras/usr.NX.bin.nxclient b/profiles/apparmor/profiles/extras/usr.NX.bin.nxclient index 969d0007e..09c2bd03c 100644 --- a/profiles/apparmor/profiles/extras/usr.NX.bin.nxclient +++ b/profiles/apparmor/profiles/extras/usr.NX.bin.nxclient @@ -23,7 +23,7 @@ include /{usr/,}bin/bash mix, /usr/bin/cut mix, - /usr/NX/bin/nxclient rmix, + @{exec_path} mrix, /usr/NX/bin/nxssh mix, /usr/NX/bin/nxproxy mix, /usr/NX/lib/** mr, diff --git a/profiles/apparmor/profiles/extras/usr.bin.acroread b/profiles/apparmor/profiles/extras/usr.bin.acroread index 5e449492a..44422fb53 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.acroread +++ b/profiles/apparmor/profiles/extras/usr.bin.acroread @@ -26,7 +26,7 @@ include capability dac_override, - /usr/X11R6/bin/acroread mr, + @{exec_path} mr, /{usr/,}bin/basename mixr, /{usr/,}bin/bash mix, diff --git a/profiles/apparmor/profiles/extras/usr.bin.apropos b/profiles/apparmor/profiles/extras/usr.bin.apropos index a39edb466..b6b4d0bc9 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.apropos +++ b/profiles/apparmor/profiles/extras/usr.bin.apropos @@ -20,7 +20,7 @@ include /{usr/,}bin/bash mixr, /{usr/,}bin/grep mixr, /etc/manpath.config r, - /usr/bin/apropos rmix, + @{exec_path} mr, /usr/bin/man Px, /usr/bin/tr mixr, /var/cache/man/whatis r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.dumpcap b/profiles/apparmor/profiles/extras/usr.bin.dumpcap index f01295c63..426bcca92 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.dumpcap +++ b/profiles/apparmor/profiles/extras/usr.bin.dumpcap @@ -29,7 +29,7 @@ include /sys/class/net/ r, /sys/devices/**/net/* r, - /usr/bin/dumpcap mr, + @{exec_path} mr, /usr/share/GeoIP/ r, /usr/share/GeoIP/** r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 b/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 index d68a2eba9..9bec79fb6 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 +++ b/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 @@ -110,7 +110,7 @@ include @{HOME}/.qt/** lrw, @{HOME}/.recently-used rw, - /usr/bin/evolution-2.10 mixr, + @{exec_path} mrix, /usr/bin/firefox Pxr, /usr/lib/** r, /usr/lib/GConf/2/gconfd-2 Px, diff --git a/profiles/apparmor/profiles/extras/usr.bin.fam b/profiles/apparmor/profiles/extras/usr.bin.fam index fa50df548..17113fbb8 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.fam +++ b/profiles/apparmor/profiles/extras/usr.bin.fam @@ -17,7 +17,7 @@ include include /tmp/.fam* wl, /etc/mtab rw, - /usr/bin/fam rmix, + @{exec_path} mrix, # it makes some level of sense for FAM to read all files on the # filesystem, even if this is a little unfortunate. /** r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.freshclam b/profiles/apparmor/profiles/extras/usr.bin.freshclam index 8ddbb5aa3..1477909a4 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.freshclam +++ b/profiles/apparmor/profiles/extras/usr.bin.freshclam @@ -23,7 +23,8 @@ include /etc/clamd.conf r, /etc/freshclam.conf r, - /usr/bin/freshclam mr, + @{exec_path} mr, + /var/lib/clamav/** rw, owner /run/clamav/freshclam.pid w, diff --git a/profiles/apparmor/profiles/extras/usr.bin.gaim b/profiles/apparmor/profiles/extras/usr.bin.gaim index 994f53ce0..0b6323184 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.gaim +++ b/profiles/apparmor/profiles/extras/usr.bin.gaim @@ -43,7 +43,7 @@ include @{HOME}/.themes/** r, /opt/MozillaFirefox/bin/firefox.sh Px, - /usr/bin/gaim mixr, + @{exec_path} mrix, /usr/lib/GConf/2/gconfd-2 Px, /usr/share/icons r, /usr/share/icons/** r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.man b/profiles/apparmor/profiles/extras/usr.bin.man index ce91c0b4d..a469f14b1 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.man +++ b/profiles/apparmor/profiles/extras/usr.bin.man @@ -23,7 +23,7 @@ include capability setgid, capability setuid, - /usr/bin/man r, + @{exec_path} r, /usr/lib/man-db/man Px, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce index b231ac8a1..321ba4f85 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce @@ -17,7 +17,7 @@ include /usr/bin/mlmmj-bounce { include - /usr/bin/mlmmj-bounce mr, + @{exec_path} mr, /usr/bin/mlmmj-send Px, /usr/bin/mlmmj-maintd Px, /var/spool/mlmmj/*/subscribers.d/ r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd index 39235fb12..9dbd8910c 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd @@ -19,7 +19,7 @@ include capability setuid, - /usr/bin/mlmmj-maintd mr, + @{exec_path} mr, /usr/bin/mlmmj-send Px, /usr/bin/mlmmj-bounce Px, /usr/bin/mlmmj-unsub Px, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh index 5133f9877..def7ee773 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh @@ -21,7 +21,7 @@ include capability sys_admin, - /usr/bin/mlmmj-make-ml.sh r, + @{exec_path} r, # some shell tools are needed /{usr/,}bin/domainname mix, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-process b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-process index ba33624d7..00e7d20dc 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-process +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-process @@ -17,7 +17,8 @@ include /usr/bin/mlmmj-process { include - /usr/bin/mlmmj-process mr, + + @{exec_path} mr, /usr/bin/mlmmj-send Px, /usr/bin/mlmmj-sub Px, /usr/bin/mlmmj-unsub Px, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive index 450ac53fc..c0553a027 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive @@ -18,7 +18,7 @@ include include /usr/bin/mlmmj-process Px, - /usr/bin/mlmmj-receive mr, + @{exec_path} mr, /var/spool/mlmmj/*/incoming/ rw, /var/spool/mlmmj/*/incoming/* rw, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve index bfd786cce..4c2ab76d8 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve @@ -21,7 +21,7 @@ include include /usr/bin/mlmmj-process Px, - /usr/bin/mlmmj-recieve mr, + @{exec_path} mr, /var/spool/mlmmj/*/incoming/* w, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-send b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-send index a3fc0feaa..d10fd2873 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-send +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-send @@ -18,7 +18,7 @@ include include include - /usr/bin/mlmmj-send mr, + @{exec_path} mr, /var/spool/mlmmj/*/archive/* w, /var/spool/mlmmj/*/control/* r, /var/spool/mlmmj/*/index rwk, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub index f5c36c832..5c9039510 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub @@ -20,7 +20,7 @@ include capability setuid, /usr/bin/mlmmj-send Px, - /usr/bin/mlmmj-sub mr, + @{exec_path} mr, /var/spool/mlmmj/*/control/ r, /var/spool/mlmmj/*/control/* r, /var/spool/mlmmj/*/moderation/subscribe* rw, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub index 7097a81cd..26089de4c 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub @@ -17,7 +17,7 @@ include /usr/bin/mlmmj-unsub { include - /usr/bin/mlmmj-unsub mr, + @{exec_path} mr, /usr/bin/mlmmj-send Px, /var/spool/mlmmj/*/control/ r, /var/spool/mlmmj/*/control/* r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.opera b/profiles/apparmor/profiles/extras/usr.bin.opera index 7f9432b7c..30e53120a 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.opera +++ b/profiles/apparmor/profiles/extras/usr.bin.opera @@ -69,7 +69,8 @@ include /{,var/}run/.resmgr_socket w, /var/spool/cups/tmp/* lrw, - /usr/bin/opera mr, + @{exec_path} mr, + /usr/lib/jvm/java-1.5.0-sun-1.5.0_update12/jre/lib/i386/*.so mr, /usr/lib/jvm/java-1.5.0-sun-1.5.0_update12/jre/lib/i386/client/*.so mr, /usr/lib/opera/*/opera ix, diff --git a/profiles/apparmor/profiles/extras/usr.bin.passwd b/profiles/apparmor/profiles/extras/usr.bin.passwd index 8356c2437..e027d3e68 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.passwd +++ b/profiles/apparmor/profiles/extras/usr.bin.passwd @@ -38,7 +38,7 @@ include @{PROC}/@{pid}/loginuid r, - /usr/bin/passwd mr, + @{exec_path} mr, /usr/lib/pwdutils/lib*.so* mr, /usr/lib64/pwdutils/lib*.so* mr, /usr/share/cracklib/pw_dict.hwm r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.procmail b/profiles/apparmor/profiles/extras/usr.bin.procmail index eb7ed544a..f47b3ebf2 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.procmail +++ b/profiles/apparmor/profiles/extras/usr.bin.procmail @@ -33,7 +33,7 @@ include /{usr/,}bin/date rmix, /{usr/,}bin/gzip rmix, /usr/bin/formail rmix, - /usr/bin/procmail rmix, + @{exec_path} mrix, /usr/bin/spamc Px, /usr/sbin/sendmail rPx, diff --git a/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket b/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket index 01528f97d..643fe7243 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket +++ b/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket @@ -18,7 +18,7 @@ profile pyzorsocket /usr/bin/pyzorsocket { /usr/bin/ r, /usr/bin/python[2-9]* ix, - /usr/bin/pyzorsocket r, + @{exec_path} r, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.bin.razorsocket b/profiles/apparmor/profiles/extras/usr.bin.razorsocket index 8e40285b8..5cd146c3f 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.razorsocket +++ b/profiles/apparmor/profiles/extras/usr.bin.razorsocket @@ -16,7 +16,7 @@ profile razorsocket /usr/bin/razorsocket { include include - /usr/bin/razorsocket r, + @{exec_path} r, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.bin.skype b/profiles/apparmor/profiles/extras/usr.bin.skype index a49cba1ce..4bcbf76cc 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.skype +++ b/profiles/apparmor/profiles/extras/usr.bin.skype @@ -44,7 +44,7 @@ include # should this be in a separate KDE abstraction? owner @{HOME}/.kde{,4}/share/config/kioslaverc r, - /usr/bin/skype mr, + @{exec_path} mr, /etc/xdg/sni-qt.conf rk, /etc/xdg/Trolltech.conf rk, /usr/share/skype/** kr, diff --git a/profiles/apparmor/profiles/extras/usr.bin.spamc b/profiles/apparmor/profiles/extras/usr.bin.spamc index 829f8cc12..ee6a461df 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.spamc +++ b/profiles/apparmor/profiles/extras/usr.bin.spamc @@ -18,7 +18,7 @@ include include include - /usr/bin/spamc r, + @{exec_path} r, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.bin.svnserve b/profiles/apparmor/profiles/extras/usr.bin.svnserve index bc3baca3e..7f7eef0f6 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.svnserve +++ b/profiles/apparmor/profiles/extras/usr.bin.svnserve @@ -19,7 +19,7 @@ include # network service ;) capability net_bind_service, - /usr/bin/svnserve mr, + @{exec_path} mr, /srv/svn/*/conf/* r, /srv/svn/*/format r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.wireshark b/profiles/apparmor/profiles/extras/usr.bin.wireshark index 439c06cc9..e89823015 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.wireshark +++ b/profiles/apparmor/profiles/extras/usr.bin.wireshark @@ -77,7 +77,7 @@ include /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/* r, /usr/lib/firefox/firefox.sh rPx, - /usr/bin/wireshark mixr, + @{exec_path} mrix, /usr/share/mime/* r, /usr/share/qt[45]/translations/* r, /usr/share/snmp/mibs r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.xfs b/profiles/apparmor/profiles/extras/usr.bin.xfs index 05437dc52..20b743771 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.xfs +++ b/profiles/apparmor/profiles/extras/usr.bin.xfs @@ -21,7 +21,7 @@ include /etc/X11/fs/config r, /etc/mtab r, /tmp/.font-unix/fs710[0-9] wl, - /usr/bin/xfs rmix, + @{exec_path} mrix, /{,var/}run/xfs.pid rw, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 b/profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 index f27e6fef1..b6497e5bf 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 +++ b/profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 @@ -29,7 +29,7 @@ include @{HOME}/.gconf/** lrw, @{HOME}/.gconfd/** lrw, - /usr/lib/GConf/2/gconfd-2 rmix, + @{exec_path} mrix, /usr/lib/GConf/2/libgconfbackend-xml.so mr, /usr/lib64/GConf/2/libgconfbackend-xml.so mr, /usr/share/locale/** r, diff --git a/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay b/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay index a7e27e6b6..894c6f77a 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay +++ b/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay @@ -41,7 +41,7 @@ include @{HOME}/ r, @{HOME}/.realplayerrc rw, - /usr/lib/RealPlayer10/realplay mr, + @{exec_path} mr, /usr/lib/RealPlayer10/** mr, /usr/lib/RealPlayer10/realplay.bin Pxr, /usr/lib/firefox/firefox.sh Pxr, diff --git a/profiles/apparmor/profiles/extras/usr.lib.bonobo.bonobo-activation-server b/profiles/apparmor/profiles/extras/usr.lib.bonobo.bonobo-activation-server index ca34ca708..ec5c35af8 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.bonobo.bonobo-activation-server +++ b/profiles/apparmor/profiles/extras/usr.lib.bonobo.bonobo-activation-server @@ -20,7 +20,7 @@ include include /etc/bonobo-activation/bonobo-activation-config.xml r, - /usr/lib/bonobo/bonobo-activation-server rmix, + @{exec_path} mrix, /usr/lib/bonobo/servers r, /usr/lib/bonobo/servers/*.server r, /usr/lib/evolution-data-server-*/evolution-data-server-* Px, diff --git a/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 b/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 index 6e74cac27..50ab6cda1 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 +++ b/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 @@ -33,7 +33,7 @@ include /usr/lib/GConf/**.so mr, /usr/lib/GConf/2/gconfd-2 Pxr, /usr/lib64/GConf/2/gconfd-2 Pxr, - /usr/lib/evolution-data-server/evolution-data-server-1.10 mr, + @{exec_path} mr, /usr/lib/evolution-data-server/evolution-data-server-* rmix, /usr/lib/evolution-data-server*/extensions r, /usr/lib/evolution-data-server*/extensions/lib*.so r, diff --git a/profiles/apparmor/profiles/extras/usr.lib.firefox.mozilla-xremote-client b/profiles/apparmor/profiles/extras/usr.lib.firefox.mozilla-xremote-client index 19ac191e6..56d64e763 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.firefox.mozilla-xremote-client +++ b/profiles/apparmor/profiles/extras/usr.lib.firefox.mozilla-xremote-client @@ -19,7 +19,7 @@ include include /usr/lib/mozilla/lib*so* mr, - /usr/lib/firefox/mozilla-xremote-client rmix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.lib.man-db.man b/profiles/apparmor/profiles/extras/usr.lib.man-db.man index 98f0108d0..f80cc0c5d 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.man-db.man +++ b/profiles/apparmor/profiles/extras/usr.lib.man-db.man @@ -46,7 +46,7 @@ include /usr/bin/iconv rmix, /{usr/,}bin/less rmix, /usr/bin/locale rmix, - /usr/bin/man rmix, + @{exec_path} mrix, /usr/bin/nroff rmix, /usr/bin/preconv rmix, /usr/bin/tbl rmix, diff --git a/profiles/apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 b/profiles/apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 index dcab9c0ad..033b1fe99 100644 --- a/profiles/apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 +++ b/profiles/apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 @@ -29,7 +29,7 @@ include @{HOME}/.gconf/** lrw, @{HOME}/.gconfd/** lrw, - /usr/lib64/GConf/2/gconfd-2 rmix, + @{exec_path} mrix, /usr/lib/GConf/2/libgconfbackend-xml.so mr, /usr/lib64/GConf/2/libgconfbackend-xml.so mr, /usr/share/locale/** r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.clamd b/profiles/apparmor/profiles/extras/usr.sbin.clamd index 92915e49c..e328553c9 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.clamd +++ b/profiles/apparmor/profiles/extras/usr.sbin.clamd @@ -20,7 +20,7 @@ profile clamd /usr/sbin/clamd { capability setuid, /etc/clamd.conf r, - /usr/sbin/clamd mr, + @{exec_path} mr, /var/lib/clamav/ r, /var/lib/clamav/** r, owner /run/clamav/clamd.pid w, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.cupsd b/profiles/apparmor/profiles/extras/usr.sbin.cupsd index b5bb1ea9b..a49e2666a 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd @@ -52,7 +52,7 @@ include /usr/bin/smbspool ixr, /usr/lib/cups/backend/* ixr, /usr/lib/cups/filter/* ixr, - /usr/sbin/cupsd mixr, + @{exec_path} mrix, /usr/share/cups/** r, /var/log/cups/access_log rw, /var/log/cups/error_log rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd index 2080af228..fc67b121a 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd @@ -32,7 +32,7 @@ include /etc/named.d/* r, @{PROC}/net/dev r, @{PROC}/sys/net/ipv4/ip_local_port_range r, - /usr/sbin/dhcpd rmix, + @{exec_path} mrix, /var/lib/dhcp/{db/,}dhcpd{6,}.leases* rwl, /var/lib/dhcp/etc/dhcpd.conf r, /{,var/}run/dhcpd.pid wl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.haproxy b/profiles/apparmor/profiles/extras/usr.sbin.haproxy index 998c6aa83..98db51240 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.haproxy +++ b/profiles/apparmor/profiles/extras/usr.sbin.haproxy @@ -33,7 +33,7 @@ profile haproxy /usr/sbin/haproxy { /etc/haproxy/* r, - /usr/sbin/haproxy rmix, + @{exec_path} mrix, /var/lib/haproxy/stats rwl, /var/lib/haproxy/stats.*.bak rwl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork index 3e401db9f..450667408 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork +++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork @@ -79,7 +79,7 @@ include /usr/local/tomcat/conf/mod_jk.conf r, /usr/local/tomcat/conf/workers-ajp12.properties r, - /usr/sbin/httpd2-prefork r, + @{exec_path} r, /usr/share/misc/magic.mime r, /usr/share/snmp/mibs r, /usr/share/snmp/mibs/*.{txt,mib} r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.imapd b/profiles/apparmor/profiles/extras/usr.sbin.imapd index af41f7f1b..7c2e82b2a 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.imapd +++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd @@ -20,7 +20,7 @@ include /dev/urandom r, /tmp/* rwl, - /usr/sbin/imapd r, + @{exec_path} r, /usr/share/ssl/certs/imapd.pem r, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd index 27c7c9a0a..1b4e023b5 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd +++ b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd @@ -19,7 +19,7 @@ include @{HOME}/.plan r, @{HOME}/.project r, - /usr/sbin/in.fingerd mr, + @{exec_path} mr, /usr/bin/finger mix, /var/log/lastlog r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.in.ftpd b/profiles/apparmor/profiles/extras/usr.sbin.in.ftpd index 04762d8f9..f3380e363 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.in.ftpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.in.ftpd @@ -29,7 +29,7 @@ include @{HOMEDIRS} r, @{HOME}/** rwl, - /usr/sbin/in.ftpd r, + @{exec_path} r, /usr/share/ssl/certs/ca-bundle.crt r, /usr/share/ssl/certs/ftpd-rsa.pem r, /usr/share/ssl/private/ftpd-rsa-key.pem r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd b/profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd index eb0055142..b5ea10a24 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd +++ b/profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd @@ -17,7 +17,7 @@ include include include - /usr/sbin/in.ntalkd r, + @{exec_path} r, /{,var/}run/utmp r, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d index 0496cd37b..bf1a9f2b2 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d +++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d @@ -20,7 +20,7 @@ include /dev/urandom r , /tmp/.* rwl , - /usr/sbin/ipop2d rmix, + @{exec_path} mrix, /usr/share/ssl/certs/ipop2d.pem r , # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d index 84963c588..34f5cd422 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d +++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d @@ -20,7 +20,7 @@ include /dev/urandom r , /tmp/.* rwl , - /usr/sbin/ipop3d rmix, + @{exec_path} mrix, /usr/share/ssl/certs/ipop3d.pem r , # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd index 50ff318e4..29ad95634 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd @@ -37,7 +37,7 @@ include /etc/lighttpd/auth.d/* r, /etc/lighttpd/vhosts.d r, /etc/lighttpd/vhosts.d/* r, - /usr/sbin/lighttpd mix, + @{exec_path} mrix, /usr/lib/lighttpd/*.so mr, /usr/lib64/lighttpd/*.so mr, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.mysqld b/profiles/apparmor/profiles/extras/usr.sbin.mysqld index 40cdbd685..295eab836 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.mysqld +++ b/profiles/apparmor/profiles/extras/usr.sbin.mysqld @@ -33,7 +33,7 @@ include /root/.my.cnf r, /sys/devices/system/cpu/online r, /usr/lib{,32,64}/**.so mr, - /usr/sbin/mysqld mr, + @{exec_path} mr, /usr/share/mariadb/*/errmsg.sys r, /usr/share/mysql-community-server/*/errmsg.sys r, /usr/share/mysql/** r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.oidentd b/profiles/apparmor/profiles/extras/usr.sbin.oidentd index 174dfd9f7..c1ca2d4aa 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.oidentd +++ b/profiles/apparmor/profiles/extras/usr.sbin.oidentd @@ -21,7 +21,7 @@ include capability dac_override, capability dac_read_search, - /usr/sbin/oidentd mr, + @{exec_path} mr, /etc/oidentd.conf r, /etc/oidentd_masq.conf r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.popper b/profiles/apparmor/profiles/extras/usr.sbin.popper index 155d0d2ee..d20da6355 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.popper +++ b/profiles/apparmor/profiles/extras/usr.sbin.popper @@ -23,7 +23,7 @@ include capability setgid, capability setuid, - /usr/sbin/popper mr, + @{exec_path} mr, /var/spool/mail/* rw, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postalias b/profiles/apparmor/profiles/extras/usr.sbin.postalias index 644b2ec2b..20734fb1b 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postalias +++ b/profiles/apparmor/profiles/extras/usr.sbin.postalias @@ -27,7 +27,7 @@ include /etc/postfix/aliases.{lm,}db rwl, /etc/postfix/__db.aliases.db lrw, /etc/__db.aliases.db rwl, - /usr/sbin/postalias rmix, + @{exec_path} mrix, @{PROC}/net/if_inet6 r, # On SuSE, mailman is configured to use its own alias db /var/lib/mailman/data/aliases r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postdrop b/profiles/apparmor/profiles/extras/usr.sbin.postdrop index 77ab08948..97a5ffe7e 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postdrop +++ b/profiles/apparmor/profiles/extras/usr.sbin.postdrop @@ -27,7 +27,7 @@ include /etc/postfix/main.cf r, /etc/postfix/postfix-script mixr, @{PROC}/net/if_inet6 r, - /usr/sbin/postdrop rmix, + @{exec_path} mrix, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/spool/postfix r, /var/spool/postfix/maildrop r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postmap b/profiles/apparmor/profiles/extras/usr.sbin.postmap index 6501a34a2..7c150c2a8 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postmap +++ b/profiles/apparmor/profiles/extras/usr.sbin.postmap @@ -26,7 +26,7 @@ include /etc/postfix/*.lmdb rwlk, @{PROC}/net/if_inet6 r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, - /usr/sbin/postmap rmix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postqueue b/profiles/apparmor/profiles/extras/usr.sbin.postqueue index dbaa49448..8a6b49ade 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postqueue +++ b/profiles/apparmor/profiles/extras/usr.sbin.postqueue @@ -23,7 +23,7 @@ include capability dac_override, /etc/postfix r, - /usr/sbin/postqueue rmix, + @{exec_path} mrix, /usr/lib{,exec}/postfix/{bin/,sbin/,}showq Px, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/spool/postfix r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail index 46ab43df9..0023931b4 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail @@ -58,9 +58,9 @@ include /usr/sbin/postalias Px, /usr/sbin/postdrop Px, /usr/sbin/postqueue Px, - /usr/sbin/sendmail rmix, - /usr/sbin/sendmail.postfix rmix, - /usr/sbin/sendmail.sendmail rmix, + @{exec_path} mrix, + @{exec_path}.postfix mrix, + @{exec_path}.sendmail mrix, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/lib/sendmail/statistics rwl, /{,var/}run/sendmail.pid rwl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix index efbe3bfb4..8775d4d20 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix @@ -33,7 +33,7 @@ include /usr/sbin/postalias Px, /usr/sbin/postdrop Px, /usr/sbin/postqueue Px, - /usr/sbin/sendmail.postfix rmix, + @{exec_path} mrix, /var/spool/postfix/ r, /var/spool/postfix/active r, /var/spool/postfix/bounce r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail index 04da74786..63977d9af 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail @@ -36,7 +36,7 @@ include /usr/lib/sasl/* mr, /usr/lib/sasl2 r, /usr/lib/sasl2/* mr, - /usr/sbin/sendmail.sendmail rmix, + @{exec_path} mrix, /{,var/}run/sendmail.pid rwl, /{,var/}run/sm-client.pid rwl, /{,var/}run/utmp rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.spamd b/profiles/apparmor/profiles/extras/usr.sbin.spamd index 9ff81479d..4caaa2ee3 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.spamd +++ b/profiles/apparmor/profiles/extras/usr.sbin.spamd @@ -34,7 +34,7 @@ include /tmp/spamd-*-init r, /tmp/spamd-*-init/** lrw, /usr/bin/perl mix, - /usr/sbin/spamd r, + @{exec_path} r, /usr/share/spamassassin r, /usr/share/spamassassin/*.cf r, /usr/share/spamassassin/*.template r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.squid b/profiles/apparmor/profiles/extras/usr.sbin.squid index fbdfec704..1fb203ac1 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.squid +++ b/profiles/apparmor/profiles/extras/usr.sbin.squid @@ -23,7 +23,7 @@ include capability setuid, /usr/lib/squid/* rmix, - /usr/sbin/squid rmix, + @{exec_path} mrix, /usr/sbin/unlinkd mixr, /var/cache/squid/** lrw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sshd b/profiles/apparmor/profiles/extras/usr.sbin.sshd index c50540d4b..ceb7003f0 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd @@ -67,7 +67,7 @@ include /etc/security/** r, /etc/ssh/** r, /etc/ssl/openssl.cnf r, - /usr/sbin/sshd mrix, + @{exec_path} mrix, /usr/share/ssh/blacklist.* r, /var/log/btmp rw, owner @{run}/sshd{,.init}.pid wl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.useradd b/profiles/apparmor/profiles/extras/usr.sbin.useradd index f05dd3aac..da1dc9be5 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.useradd +++ b/profiles/apparmor/profiles/extras/usr.sbin.useradd @@ -55,8 +55,8 @@ include /usr/sbin/adduser rmix, /usr/sbin/nscd rPix, /{,usr/}sbin/pam_tally2 Cx -> pam_tally2, - /usr/sbin/useradd rmix, - /usr/sbin/useradd.local rmix, + @{exec_path} mrix, + @{exec_path}.local mrix, /var/log/faillog rw, /{,var/}run/nscd.pid rw, /var/spool/mail/* rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.userdel b/profiles/apparmor/profiles/extras/usr.sbin.userdel index cd210496b..75b2879ba 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.userdel +++ b/profiles/apparmor/profiles/extras/usr.sbin.userdel @@ -43,9 +43,9 @@ include @{PROC}/@{pid}/mounts r, /usr/bin/crontab rmix, /usr/lib*/pwdutils/*.so.* mr, - /usr/sbin/userdel rmix, - /usr/sbin/userdel-post.local rmix, - /usr/sbin/userdel-pre.local rmix, + @{exec_path} mrix, + @{exec_path}-post.local mrix, + @{exec_path}-pre.local mrix, # XXX /{,var/}run/nscd.pid r, /var/spool/mail/* wl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd index e081e6d08..9b49fffe5 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd @@ -28,7 +28,7 @@ include /etc/vsftpd.* r, /etc/vsftpd/* r, /@{PROC}/@{pid}/mounts r, - /usr/sbin/vsftpd rmix, + @{exec_path} mrix, /{,var/}run/utmp rk, /var/log/vsftpd.log w, /var/log/xferlog w, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.xinetd b/profiles/apparmor/profiles/extras/usr.sbin.xinetd index 0a66ad10d..be5cddaf4 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.xinetd +++ b/profiles/apparmor/profiles/extras/usr.sbin.xinetd @@ -24,7 +24,7 @@ include /etc/xinetd.conf r, /etc/xinetd.d r, /etc/xinetd.d/* r, - /usr/sbin/xinetd rmix, + @{exec_path} mrix, /var/log/xinetd.log w, /{,var/}run/xinetd.pid rwl, diff --git a/utils/test/logprof/ping.bin.ping b/utils/test/logprof/ping.bin.ping index ea415e5bf..d934b5d20 100644 --- a/utils/test/logprof/ping.bin.ping +++ b/utils/test/logprof/ping.bin.ping @@ -28,7 +28,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { /etc/modules.conf r, /proc/21622/cmdline r, - /{usr/,}bin/{,iputils-}ping mrix, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{exec_path} mrix, } diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index 04e03fb68..4e29201eb 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -35,6 +35,14 @@ skip_startswith = ( # Pux and Cux (which actually mean PUx and CUx) get rejected by the tools 'generated_x/exact-', + + # profiles that use undefined autovars like @{exec_path} when no attachment + 'vars/vars_auto_exec_path_bad_2.sd', + 'vars/vars_auto_attach_path_bad_2.sd', + 'vars/vars_auto_exec_path_bad_3.sd', + 'vars/vars_auto_attach_path_bad_3.sd', + 'vars/vars_auto_exec_path_bad_5.sd', + 'vars/vars_auto_attach_path_bad_5.sd', ) # testcases that should raise an exception, but don't