From 699507f90a4c6ad779a26125174e3042790b15d2 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sun, 20 Apr 2025 16:34:51 -0700 Subject: [PATCH 1/6] parser: Add support for automatic @{attach_path} variable Have the parser extract the attachment path from the profile declaration and make it available as a variable within the profile. This allows profile rules to use the executable attachment path in rules. eg. ``` profile ex /bin/** { @{attach_path} r, # ... } profile /path/to/bin { @{attach_path} r, # ... } ``` if a profile does not define an attachment like ``` profile noattach { @{attach_path} r, } ``` the apparmor_parser will fail the compile with the error. ``` Found reference to variable attach_path, but is never declared ``` The attachment xattr/label conditionals are not made available at this time as regular file path rules can not use them. Similarly a @{exec_path} variable is made available. It is different than @{attach_path} in that it is intended to be a kernel variable that represents the specific executable that was matched at run time. However to support policy on kernels that don't define the kernel variable it has a fallback value that is the same as @{attach_path}. This patch is a follow on to MR:1637 (https://gitlab.com/apparmor/apparmor/-/merge_requests/1637) and is similar to how the apparmor.d project uses the manually setup @{exec_path} variable. We can bike shed over the variable name. @{attach_path} was chosen here because this is the attachment conditional path for the executable, not the executable's actual path. While @{exec_path} is intended to be the applications actual executable path. support the @{exec_path} kernel variable (all of them atm). Notes: The minimize.sh tests are changed because this patch causes path based profile names to create an attachment. This could be done by doing the attach_variable expansion in the alternate location marked by the patch, but since the kernel is going to start doing this for all profiles that don't have an attachment it is better for the parser to do it, as it can optimize better. This patch may cause breakage if policy declares either @{attach_path} or @{exec_path} this will not be dealt with here, but in a subsequent patch that allows variables to have a local scope so that the compiler defined vars will just get declared locally. Signed-off-by: John Johansen --- parser/apparmor.d.pod | 25 +++- parser/parser.h | 6 +- parser/parser_variable.c | 72 +++++++-- parser/tst/equality.sh | 140 ++++++++++++++++++ parser/tst/minimize.sh | 20 +-- .../vars/vars_auto_attach_path_01.sd | 9 ++ .../vars/vars_auto_attach_path_02.sd | 9 ++ .../vars/vars_auto_attach_path_03.sd | 9 ++ .../vars/vars_auto_attach_path_05.sd | 10 ++ .../vars/vars_auto_attach_path_06.sd | 10 ++ .../vars/vars_auto_attach_path_07.sd | 10 ++ .../vars/vars_auto_attach_path_08.sd | 20 +++ .../vars/vars_auto_attach_path_bad_1.sd | 9 ++ .../vars/vars_auto_attach_path_bad_2.sd | 12 ++ .../vars/vars_auto_attach_path_bad_3.sd | 16 ++ .../vars/vars_auto_attach_path_bad_4.sd | 10 ++ .../vars/vars_auto_attach_path_bad_5.sd | 11 ++ .../vars/vars_auto_exec_path_01.sd | 9 ++ .../vars/vars_auto_exec_path_02.sd | 9 ++ .../vars/vars_auto_exec_path_03.sd | 9 ++ .../vars/vars_auto_exec_path_05.sd | 10 ++ .../vars/vars_auto_exec_path_06.sd | 10 ++ .../vars/vars_auto_exec_path_07.sd | 10 ++ .../vars/vars_auto_exec_path_08.sd | 20 +++ .../vars/vars_auto_exec_path_bad_1.sd | 9 ++ .../vars/vars_auto_exec_path_bad_2.sd | 12 ++ .../vars/vars_auto_exec_path_bad_3.sd | 16 ++ .../vars/vars_auto_exec_path_bad_4.sd | 10 ++ .../vars/vars_auto_exec_path_bad_5.sd | 11 ++ 29 files changed, 508 insertions(+), 25 deletions(-) create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 9533155c8..1d7f714d3 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -1802,8 +1802,29 @@ site-specific customization of B<@{HOMEDIRS}>, F for B<@{multiarch}> and F for B<@{XDG_*}>. -The special B<@{profile_name}> variable is set to the profile name and may be -used in all policy. +=head3 Special builtin variables + +AppArmor has some builtin variables that are not declared in policy +but are available to be used in policy. + + @{profile_name} - the profile name + @{attach_path} - the profile exec attachment path - if one has been defined + @{exec_path} - the executables path + + +The B<@{profile_name}> variable is set to the profile name and may be +used in all policy. It is only defined when used inside of a profile. + +The B<@{attach_path}> variable is only defined if the profile will attach +to an executable. It will be the path attachment specification or +if that is not defined it may be the profile's name if the profile name +is a path. + +The B<@{exec_path}> variable like B<@{attach_path}> is only defined if +the profile attaches to an executable. If the kernel supports it as a +kernel variable, it will be set to the specific path that matches the +executable at run time. If the kernel does not support kernel variables +it will have the same value as B<@{attach_path}>. =head3 Notes on variable expansion and the / character diff --git a/parser/parser.h b/parser/parser.h index 005bbe580..df056aa5d 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -294,9 +294,10 @@ do { \ version; \ }) -/* The parser fills this variable in automatically */ +/* The parser fills these variable in automatically */ #define PROFILE_NAME_VARIABLE "profile_name" - +#define PROFILE_ATTACH_VAR "attach_path" +#define PROFILE_EXEC_VAR "exec_path" /* from parser_common.c */ extern uint32_t policy_version; @@ -395,6 +396,7 @@ extern const char *basedir; #define glob_default 0 #define glob_null 1 +const char *local_name(const char *name); extern pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob, std::string& pcre, int *first_re_pos); extern bool build_list_val_expr(std::string& buffer, struct value_list *list); diff --git a/parser/parser_variable.c b/parser/parser_variable.c index c04e2a11a..a920ce7f1 100644 --- a/parser/parser_variable.c +++ b/parser/parser_variable.c @@ -295,8 +295,22 @@ static int process_variables_in_name(Profile &prof) * setup */ int error = expand_entry_variables(&prof.name); - if (!error && prof.attachment) - error = expand_entry_variables(&prof.attachment); + if (!error) { + if (prof.attachment) + error = expand_entry_variables(&prof.attachment); + else if (prof.name[0] == '/') { + /* had to wait to do this until after processing the + * variables in the profile name + */ + prof.attachment = strdup(local_name(prof.name)); + if (!prof.attachment) { + errno = ENOMEM; + return -1; + } + filter_slashes(prof.attachment); + } + } + if (!error && prof.flags.disconnected_path) error = process_variable_in_attach_disconnected(&prof.flags.disconnected_path); if (!error && prof.flags.disconnected_ipc) @@ -331,23 +345,59 @@ int process_profile_variables(Profile *prof) */ error = process_variables_in_name(*prof); - if (!error) { - /* escape profile name elements that could be interpreted - * as regular expressions. + if (error) + goto out; + + /* escape profile name elements that could be interpreted as + * regular expressions. + */ + error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str()); + if (error) + goto out; + + if (prof->attachment) { + /* IF we didn't want a path based profile name to generate + * an attachment. The code could be moved here. Add the + * output fed into the vars directly instead of setting + * the attachment. */ - error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str()); + /* need to take into account alias, but not yet */ + error = new_set_var(PROFILE_ATTACH_VAR, prof->attachment); + if (error) + goto cleanup_name; + /* update to use kernel vars if available */ + error = new_set_var(PROFILE_EXEC_VAR, prof->attachment); + if (error) + goto cleanup_attach; } - if (!error) - error = process_variables_in_entries(prof->entries); - - if (!error) - error = process_variables_in_rules(*prof); + error = process_variables_in_entries(prof->entries); + if (error) + goto cleanup; + error = process_variables_in_rules(*prof); +cleanup: + /* ideally these variables would be local scoped and we would not + * have to clean them up here, but unfortunately variables + * don't support that yet. + */ + if (prof->attachment) { + rc = delete_set_var(PROFILE_EXEC_VAR); + if (!error) + error = rc; + } +cleanup_attach: + if (prof->attachment) { + rc = delete_set_var(PROFILE_ATTACH_VAR); + if (!error) + error = rc; + } +cleanup_name: rc = delete_set_var(PROFILE_NAME_VARIABLE); if (!error) error = rc; +out: return error; } diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh index f0b90379b..333284f1d 100755 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -971,6 +971,144 @@ verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \ #### end of wrapper fn } +test_parser_variables() +{ + ######## @{profile_name} ####### + verify_binary_equality "@{profile_name} expands correctly" \ + "/t { @{profile_name} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{profile_name} expands correcly - filter /" \ + "/t { /r/@{profile_name} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{profile_name} expands correcly - add globbing" \ + "/t { @{profile_name}/** r, }" \ + "/t { /t/** r, }" + + #re expression are escaped in profile names so /t/* becomes /t/\* + verify_binary_inequality "@{profile_name} w/pat expands correctly" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{profile_name} w/pat expands correctly" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/\* r, }" + + verify_binary_inequality "@{profile_name} w/pat expands correcly - filter /" \ + "/t/* { @{profile_name} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{profile_name} w/pat expands correcly - filter /" \ + "/t/* { @{profile_name}/a r, }" \ + "/t/* { /t/\*/a r, }" + + verify_binary_inequality "@{profile_name} w/pat expands correcly - add globbing" \ + "/t/* { @{profile_name}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{profile_name} w/pat expands correcly - add globbing" \ + "/t/** { @{profile_name}/** r, }" \ + "/t/** { /t/\*\*/** r, }" + + ######## @{attach_path} ####### + verify_binary_equality "@{attach_path} expands correctly" \ + "/t { @{attach_path} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{attach_path} expands correcly - filter /" \ + "/t { /r/@{attach_path} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{attach_path} expands correcly - add globbing" \ + "/t { @{attach_path}/** r, }" \ + "/t { /t/** r, }" + + verify_binary_equality "@{attach_path} w/pat expands correctly" \ + "/t/* { @{attach_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/pat expands correcly - filter /" \ + "/t/* { @{attach_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/pat expands correcly - add globbing" \ + "/t/* { @{attach_path}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correctly" \ + "profile a /t { @{attach_path} r, }" \ + "profile a /t { /t r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correcly - filter /" \ + "profile a /t { /r/@{attach_path} r, }" \ + "profile a /t { /r/t r, }" + + verify_binary_equality "@{attach_path} w/attachment expands correcly - add globbing" \ + "profile a /t { @{attach_path}/** r, }" \ + "profile a /t { /t/** r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correctly" \ + "profile a /t/* { @{attach_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - filter /" \ + "profile a /t/* { @{attach_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - add globbing" \ + "profile a /t/* { @{attach_path}/** r, }" \ + "profile a /t/* { /t/*/** r, }" + + ######## @{exec_path} ####### + verify_binary_equality "@{exec_path} expands correctly" \ + "/t { @{exec_path} r, }" \ + "/t { /t r, }" + + verify_binary_equality "@{exec_path} expands correcly - filter /" \ + "/t { /r/@{exec_path} r, }" \ + "/t { /r/t r, }" + + verify_binary_equality "@{exec_path} expands correcly - add globbing" \ + "/t { @{exec_path}/** r, }" \ + "/t { /t/** r, }" + + verify_binary_equality "@{exec_path} w/pat expands correctly" \ + "/t/* { @{exec_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/pat expands correcly - filter /" \ + "/t/* { @{exec_path} r, }" \ + "/t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/pat expands correcly - add globbing" \ + "/t/* { @{exec_path}/** r, }" \ + "/t/* { /t/*/** r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correctly" \ + "profile a /t { @{exec_path} r, }" \ + "profile a /t { /t r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correcly - filter /" \ + "profile a /t { /r/@{exec_path} r, }" \ + "profile a /t { /r/t r, }" + + verify_binary_equality "@{exec_path} w/attachment expands correcly - add globbing" \ + "profile a /t { @{exec_path}/** r, }" \ + "profile a /t { /t/** r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correctly" \ + "profile a /t/* { @{exec_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - filter /" \ + "profile a /t/* { @{exec_path} r, }" \ + "profile a /t/* { /t/* r, }" + + verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - add globbing" \ + "profile a /t/* { @{exec_path}/** r, }" \ + "profile a /t/* { /t/*/** r, }" +} run_tests() { @@ -1082,6 +1220,8 @@ run_tests() "@{BAR}=bin/ \#value /t { /@{BAR} r, }" + test_parser_variables + # verify combinations of different priority levels # for single rule comparisons, rules should keep same expected result # even when the priorities are different. diff --git a/parser/tst/minimize.sh b/parser/tst/minimize.sh index 8b3c4850c..82f6a2721 100755 --- a/parser/tst/minimize.sh +++ b/parser/tst/minimize.sh @@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}" # {a} (0x 40030/0/0/0) echo -n "Minimize profiles basic perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -93,7 +93,7 @@ echo "ok" # {9} (0x 12804a/0/2800a/0) # {c} (0x 40030/0/0/0) echo -n "Minimize profiles audit perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -112,7 +112,7 @@ echo "ok" # {c} (0x 40030/0/0/0) echo -n "Minimize profiles deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -130,7 +130,7 @@ echo "ok" # {c} (0x 40030/0/0/0) echo -n "Minimize profiles audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then echo "failed" exit 1; fi @@ -155,7 +155,7 @@ echo "ok" ## NOTE: change count from 6 to 7 when extend perms is not dependent on ## prompt rules being present echo -n "Minimize profiles extended no-filter audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then echo "failed" exit 1; fi @@ -173,7 +173,7 @@ echo "ok" # {2} (0x 4/0//0/0/0) <- from policydb still showing up bug echo -n "Minimize profiles extended filter audit deny perms " -if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then +if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then echo "failed" exit 1; fi @@ -208,7 +208,7 @@ echo "ok" # echo -n "Minimize profiles xtrans " -if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then +if [ "$(echo "profile t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then echo "failed" exit 1; fi @@ -216,7 +216,7 @@ echo "ok" # same test as above + audit echo -n "Minimize profiles audit xtrans " -if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then +if [ "$(echo "profile t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then echo "failed" exit 1; fi @@ -229,7 +229,7 @@ echo "ok" # {3} (0x 0/fe17f85/0/14005) echo -n "Minimize profiles deny xtrans " -if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then +if [ "$(echo "profile t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then echo "failed" exit 1; fi @@ -241,7 +241,7 @@ echo "ok" # {3} (0x 0/fe17f85/0/0) echo -n "Minimize profiles audit deny xtrans " -if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then +if [ "$(echo "profile t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then echo "failed" exit 1; fi diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd new file mode 100644 index 000000000..0e248606c --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto attach_path variable in rules +#=EXRESULT PASS + +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd new file mode 100644 index 000000000..806e0bb2d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto atach_path variable in rules +#=EXRESULT PASS + +profile this_is_a_test /a/test/profile { + /a/test/profile rix, + + /run/@{attach_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd new file mode 100644 index 000000000..c05addc61 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto attach_path from profile +#=EXRESULT PASS + +/test/profile { + /test/profile rix, + + /run/@{attach_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd new file mode 100644 index 000000000..f925c9c3f --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile spork /a/*/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd new file mode 100644 index 000000000..309a7d45d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/b/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd new file mode 100644 index 000000000..77dc87f57 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/*/c { + @{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd new file mode 100644 index 000000000..f1bac3b11 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd @@ -0,0 +1,20 @@ +#=DESCRIPTION ensure attach_path expansion after subprofiles works +#=EXRESULT PASS + +profile top_profile /test/profile { + + /first/path/@{attach_path}/tmp rwk, + + profile spork { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + hat spelunkk { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + # Does this expand properly? + /second/path/@{attach_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd new file mode 100644 index 000000000..9e8f2e512 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto @{attach_path} variable in rules when not created +#=EXRESULT FAIL + +test/profile { + /a/test/profile rix, + + mr @{attach_path}, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd new file mode 100644 index 000000000..bbd9c7e12 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd @@ -0,0 +1,12 @@ +#=DESCRIPTION reference auto attach_path from profile +#=EXRESULT FAIL + +/test/profile { + /test/profile rix, + + # hat does not have an attachment and profile's attachment doesn't apply + ^spork { + owner /tmp/* r, + /spork/@{attach_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd new file mode 100644 index 000000000..dbe64510d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION ensure attach_path expansion after subprofiles works +#=EXRESULT FAIL + +profile top_profile /test/profile { + + /first/path/@{attach_path}/tmp rwk, + + # subprofile doesn't have attach_pathes + hat spelunkk { + owner /tmp/* r, + /run/@{attach_path}/** rw, + } + + # Does this expand properly? + /second/path/@{attach_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd new file mode 100644 index 000000000..bae584fda --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable collides with user defined +#=EXRESULT FAIL + +@{attach_path}=/BAD +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd new file mode 100644 index 000000000..64faf18c9 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd @@ -0,0 +1,11 @@ +#=DESCRIPTION reference auto attach_path variable in rules w/hats +#=EXRESULT FAIL + +profile idf3s2A6GX8vrk /simple/profile { + /test/profile rix, + + ^test { + /run/@{attach_path}/tmp rwk, + } +} + diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd new file mode 100644 index 000000000..f20f78433 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path variable in rules +#=EXRESULT PASS + +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd new file mode 100644 index 000000000..5408e07bf --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path variable in rules +#=EXRESULT PASS + +profile this_is_a_test /a/test/profile { + /a/test/profile rix, + + /run/@{exec_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd new file mode 100644 index 000000000..0e0a7a365 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto exec_path from profile +#=EXRESULT PASS + +/test/profile { + /test/profile rix, + + /run/@{exec_path}/tmp rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd new file mode 100644 index 000000000..69cc06b23 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile spork /a/*/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd new file mode 100644 index 000000000..d2c9f50a9 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/b/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd new file mode 100644 index 000000000..f3b8bcceb --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable in child +#=EXRESULT PASS + +# no attachment in parent +profile top_profile { + + profile /a/*/c { + @{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd new file mode 100644 index 000000000..cd9719b3d --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd @@ -0,0 +1,20 @@ +#=DESCRIPTION ensure exec_path expansion after subprofiles works +#=EXRESULT PASS + +profile top_profile /test/profile { + + /first/path/@{exec_path}/tmp rwk, + + profile spork { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + hat spelunkk { + owner /tmp/* r, + /run/@{profile_name}/** rw, + } + + # Does this expand properly? + /second/path/@{exec_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd new file mode 100644 index 000000000..418140701 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd @@ -0,0 +1,9 @@ +#=DESCRIPTION reference auto @{exec_path} variable in rules when not created +#=EXRESULT FAIL + +test/profile { + /a/test/profile rix, + + mr @{exec_path}, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd new file mode 100644 index 000000000..311febd5c --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd @@ -0,0 +1,12 @@ +#=DESCRIPTION reference auto exec_path from profile +#=EXRESULT FAIL + +/test/profile { + /test/profile rix, + + # hat does not have an attachment and profile's attachment doesn't apply + ^spork { + owner /tmp/* r, + /spork/@{exec_path}/** rw, + } +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd new file mode 100644 index 000000000..5b5778798 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION ensure exec_path expansion after subprofiles works +#=EXRESULT FAIL + +profile top_profile /test/profile { + + /first/path/@{exec_path}/tmp rwk, + + # subprofile doesn't have exec_pathes + hat spelunkk { + owner /tmp/* r, + /run/@{exec_path}/** rw, + } + + # Does this expand properly? + /second/path/@{exec_path}/tmp rk, +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd new file mode 100644 index 000000000..c83653004 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable collides with user defined +#=EXRESULT FAIL + +@{exec_path}=/BAD +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd new file mode 100644 index 000000000..d5ea19841 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd @@ -0,0 +1,11 @@ +#=DESCRIPTION reference auto exec_path variable in rules w/hats +#=EXRESULT FAIL + +profile idf3s2A6GX8vrk /simple/profile { + /test/profile rix, + + ^test { + /run/@{exec_path}/tmp rwk, + } +} + From 6d0834da8ed20d3718b4e0ecd02e643f8b114f22 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 28 Apr 2025 05:32:54 -0700 Subject: [PATCH 2/6] profiles: update set of profiles updated in MR:1637 to use @{exec_path} This patch updates the set of profiles updated by MR:1637, this is split off from the rest of the profile updates because that set is explicity recently set apart. Signed-off-by: John Johansen --- profiles/apparmor.d/Xorg | 2 +- profiles/apparmor.d/alsamixer | 2 +- profiles/apparmor.d/babeld | 2 +- profiles/apparmor.d/bfdd | 2 +- profiles/apparmor.d/bgpd | 2 +- profiles/apparmor.d/bin.ping | 2 +- profiles/apparmor.d/eigrpd | 2 +- profiles/apparmor.d/fabricd | 2 +- profiles/apparmor.d/isisd | 2 +- profiles/apparmor.d/nhrpd | 2 +- profiles/apparmor.d/ospf6d | 2 +- profiles/apparmor.d/ospfd | 2 +- profiles/apparmor.d/pathd | 2 +- profiles/apparmor.d/pbrd | 2 +- profiles/apparmor.d/pim6d | 2 +- profiles/apparmor.d/pimd | 2 +- profiles/apparmor.d/ripd | 2 +- profiles/apparmor.d/ripngd | 2 +- profiles/apparmor.d/staticd | 2 +- profiles/apparmor.d/tnftp | 2 +- profiles/apparmor.d/transmission | 8 ++++---- profiles/apparmor.d/vrrpd | 2 +- profiles/apparmor.d/wpa_supplicant | 2 +- profiles/apparmor.d/zgrep | 2 +- profiles/apparmor.d/znc | 2 +- profiles/apparmor/profiles/extras/firefox | 2 +- profiles/apparmor/profiles/extras/usr.bin.acroread | 2 +- profiles/apparmor/profiles/extras/usr.bin.svnserve | 2 +- .../profiles/extras/usr.lib.RealPlayer10.realplay | 2 +- ...r.lib.evolution-data-server.evolution-data-server-1.10 | 2 +- profiles/apparmor/profiles/extras/usr.sbin.in.fingerd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.oidentd | 2 +- 32 files changed, 35 insertions(+), 35 deletions(-) diff --git a/profiles/apparmor.d/Xorg b/profiles/apparmor.d/Xorg index 6fc1747ae..d3df23e8f 100644 --- a/profiles/apparmor.d/Xorg +++ b/profiles/apparmor.d/Xorg @@ -58,7 +58,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) { /{,usr/}bin/{bash,dash,sh} ix, /usr/bin/xkbcomp ix, - /usr/lib/xorg/Xorg mr, + @{exec_path) mr, @{PROC}/cmdline r, @{PROC}/@{pid}/cmdline r, diff --git a/profiles/apparmor.d/alsamixer b/profiles/apparmor.d/alsamixer index b3c872881..13354eaf4 100644 --- a/profiles/apparmor.d/alsamixer +++ b/profiles/apparmor.d/alsamixer @@ -10,7 +10,7 @@ profile alsamixer /{usr,}/bin/alsamixer { include - /{usr,}/bin/alsamixer mr, + @{exec_path} mr, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/profiles/apparmor.d/babeld b/profiles/apparmor.d/babeld index 503f3a8cc..a13123f68 100644 --- a/profiles/apparmor.d/babeld +++ b/profiles/apparmor.d/babeld @@ -17,7 +17,7 @@ profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) { include include - /usr/lib/frr/babeld mr, + @{exec_path} mr, @{run}/frr/babel-state w, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/bfdd b/profiles/apparmor.d/bfdd index 80d610e94..d6baff8b1 100644 --- a/profiles/apparmor.d/bfdd +++ b/profiles/apparmor.d/bfdd @@ -21,7 +21,7 @@ profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) { capability sys_admin, - /usr/lib/frr/bfdd mr, + @{exec_path} mr, @{run}/netns/* r, @{run}/frr/bfdd.sock w, diff --git a/profiles/apparmor.d/bgpd b/profiles/apparmor.d/bgpd index 11d37f9ab..a5e7b633b 100644 --- a/profiles/apparmor.d/bgpd +++ b/profiles/apparmor.d/bgpd @@ -21,7 +21,7 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /usr/lib/frr/bgpd mr, + @{exec_path} mr, @{run}/netns/* r, diff --git a/profiles/apparmor.d/bin.ping b/profiles/apparmor.d/bin.ping index c8d450ee6..1f18c17d1 100644 --- a/profiles/apparmor.d/bin.ping +++ b/profiles/apparmor.d/bin.ping @@ -22,7 +22,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { network inet raw, network inet6 raw, - /{usr/,}bin/{,iputils-}ping mixr, + @{exec_path} mixr, /etc/modules.conf r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/profiles/apparmor.d/eigrpd b/profiles/apparmor.d/eigrpd index 62ee8c276..ee4a37588 100644 --- a/profiles/apparmor.d/eigrpd +++ b/profiles/apparmor.d/eigrpd @@ -19,7 +19,7 @@ profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) { capability net_raw, - /usr/lib/frr/eigrpd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/fabricd b/profiles/apparmor.d/fabricd index 4770146b8..5a4a5624f 100644 --- a/profiles/apparmor.d/fabricd +++ b/profiles/apparmor.d/fabricd @@ -17,7 +17,7 @@ profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) { include include - /usr/lib/frr/fabricd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/isisd b/profiles/apparmor.d/isisd index 1701c8310..2def6b1a2 100644 --- a/profiles/apparmor.d/isisd +++ b/profiles/apparmor.d/isisd @@ -20,7 +20,7 @@ profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) { capability net_raw, - /usr/lib/frr/isisd mr, + @{exec_path} mr, /var/lib/frr/ r, /var/lib/frr/isisd.json{,.sav} rw, diff --git a/profiles/apparmor.d/nhrpd b/profiles/apparmor.d/nhrpd index 411e286a1..59eacb73e 100644 --- a/profiles/apparmor.d/nhrpd +++ b/profiles/apparmor.d/nhrpd @@ -20,7 +20,7 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) { capability net_raw, capability net_admin, - /usr/lib/frr/nhrpd mr, + @{exec_path} mr, /usr/bin/dash ix, @{PROC}/sys/net/ipv4/conf/*/send_redirects w, diff --git a/profiles/apparmor.d/ospf6d b/profiles/apparmor.d/ospf6d index 9cf3efdf8..3a78e04f0 100644 --- a/profiles/apparmor.d/ospf6d +++ b/profiles/apparmor.d/ospf6d @@ -21,7 +21,7 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /usr/lib/frr/ospf6d mr, + @{exec_path} mr, @{run}/netns/* r, diff --git a/profiles/apparmor.d/ospfd b/profiles/apparmor.d/ospfd index 4b4202185..e1337a222 100644 --- a/profiles/apparmor.d/ospfd +++ b/profiles/apparmor.d/ospfd @@ -21,7 +21,7 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) { capability net_raw, capability sys_admin, - /usr/lib/frr/ospfd mr, + @{exec_path} mr, @{run}/netns/* r, diff --git a/profiles/apparmor.d/pathd b/profiles/apparmor.d/pathd index 30b03b654..02dce4199 100644 --- a/profiles/apparmor.d/pathd +++ b/profiles/apparmor.d/pathd @@ -17,7 +17,7 @@ profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) { include include - /usr/lib/frr/pathd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/pbrd b/profiles/apparmor.d/pbrd index 0a58ffbb8..f2e5855ea 100644 --- a/profiles/apparmor.d/pbrd +++ b/profiles/apparmor.d/pbrd @@ -17,7 +17,7 @@ profile pbrd /usr/lib/frr/pbrd flags=(attach_disconnected) { include include - /usr/lib/frr/pbrd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/pim6d b/profiles/apparmor.d/pim6d index b5545bcb0..3f1ebeee5 100644 --- a/profiles/apparmor.d/pim6d +++ b/profiles/apparmor.d/pim6d @@ -20,7 +20,7 @@ profile pim6d /usr/lib/frr/pim6d flags=(attach_disconnected) { capability net_raw, capability net_admin, - /usr/lib/frr/pim6d mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/pimd b/profiles/apparmor.d/pimd index d3502d63e..b49ed78bb 100644 --- a/profiles/apparmor.d/pimd +++ b/profiles/apparmor.d/pimd @@ -20,7 +20,7 @@ profile pimd /usr/lib/frr/pimd flags=(attach_disconnected) { capability net_raw, capability net_admin, - /usr/lib/frr/pimd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ripd b/profiles/apparmor.d/ripd index 9ce13e2cc..845f0fb9c 100644 --- a/profiles/apparmor.d/ripd +++ b/profiles/apparmor.d/ripd @@ -18,7 +18,7 @@ profile ripd /usr/lib/frr/ripd flags=(attach_disconnected) { include include - /usr/lib/frr/ripd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ripngd b/profiles/apparmor.d/ripngd index 7573c2a21..a0b6e79b3 100644 --- a/profiles/apparmor.d/ripngd +++ b/profiles/apparmor.d/ripngd @@ -17,7 +17,7 @@ profile ripngd /usr/lib/frr/ripngd flags=(attach_disconnected) { include include - /usr/lib/frr/ripngd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/staticd b/profiles/apparmor.d/staticd index 4825bd505..f4a92b4d8 100644 --- a/profiles/apparmor.d/staticd +++ b/profiles/apparmor.d/staticd @@ -17,7 +17,7 @@ profile staticd /usr/lib/frr/staticd flags=(attach_disconnected) { include include - /usr/lib/frr/staticd mr, + @{exec_path} mr, /etc/frr/zebra.conf r, diff --git a/profiles/apparmor.d/tnftp b/profiles/apparmor.d/tnftp index 7641bc869..c9ddd1a53 100644 --- a/profiles/apparmor.d/tnftp +++ b/profiles/apparmor.d/tnftp @@ -28,7 +28,7 @@ profile tnftp /usr/bin/tnftp { network inet stream, network inet6 stream, - /usr/bin/tnftp mr, + @{exec_path} mr, # required for the pager (less, more) to work file Cx /usr/bin/dash, diff --git a/profiles/apparmor.d/transmission b/profiles/apparmor.d/transmission index d76dd102f..33687c6dc 100644 --- a/profiles/apparmor.d/transmission +++ b/profiles/apparmor.d/transmission @@ -17,7 +17,7 @@ profile transmission-daemon /usr/bin/transmission-daemon flags=(complain,attach_ network inet stream, network inet6 stream, - /usr/bin/transmission-daemon mr, + @{exec_path} mr, owner @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/random/uuid r, @@ -44,7 +44,7 @@ profile transmission-cli /usr/bin/transmission-cli flags=(complain) { include include - /usr/bin/transmission-cli mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists @@ -57,7 +57,7 @@ profile transmission-gtk /usr/bin/transmission-gtk flags=(complain,attach_discon include include - /usr/bin/transmission-gtk mr, + @{exec_path} mr, owner @{run}/user/*/dconf/user w, @@ -76,7 +76,7 @@ profile transmission-qt /usr/bin/transmission-qt flags=(complain) { include include - /usr/bin/transmission-qt mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/vrrpd b/profiles/apparmor.d/vrrpd index 82f277ba4..e11ae072f 100644 --- a/profiles/apparmor.d/vrrpd +++ b/profiles/apparmor.d/vrrpd @@ -17,7 +17,7 @@ profile vrrpd /usr/lib/frr/vrrpd flags=(attach_disconnected) { include include - /usr/lib/frr/vrrpd mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/wpa_supplicant b/profiles/apparmor.d/wpa_supplicant index 10640d924..4cad16294 100644 --- a/profiles/apparmor.d/wpa_supplicant +++ b/profiles/apparmor.d/wpa_supplicant @@ -113,7 +113,7 @@ profile wpa_supplicant /usr/sbin/wpa_supplicant { member={ReleaseName,RequestName} peer=(name=org.freedesktop.DBus), - /usr/sbin/wpa_supplicant mr, + @{exec_path} mr, owner /dev/rfkill r, owner /etc/group r, diff --git a/profiles/apparmor.d/zgrep b/profiles/apparmor.d/zgrep index b37e3ff70..c6d069776 100644 --- a/profiles/apparmor.d/zgrep +++ b/profiles/apparmor.d/zgrep @@ -34,7 +34,7 @@ profile zgrep /usr/bin/{x,}zgrep { /usr/bin/zgrep Cx -> helper, /usr/bin/zstd Cx -> helper, owner /tmp/zgrep* rw, - /usr/bin/{x,}zgrep r, + @{exec_path} r, deny /etc/nsswitch.conf r, deny /etc/passwd r, diff --git a/profiles/apparmor.d/znc b/profiles/apparmor.d/znc index c33f0518d..4f670fd39 100644 --- a/profiles/apparmor.d/znc +++ b/profiles/apparmor.d/znc @@ -13,7 +13,7 @@ profile znc /usr/bin/znc { network tcp, - /usr/bin/znc mr, + @{exec_path} mr, @{system_share_dirs}/znc/** r, diff --git a/profiles/apparmor/profiles/extras/firefox b/profiles/apparmor/profiles/extras/firefox index 507c627f7..8b7ba2bee 100644 --- a/profiles/apparmor/profiles/extras/firefox +++ b/profiles/apparmor/profiles/extras/firefox @@ -110,7 +110,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} { member=GetAll peer=(label=unconfined), - @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} mr, + @{exec_path} mr, # should maybe be in abstractions /etc/ r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.acroread b/profiles/apparmor/profiles/extras/usr.bin.acroread index 5e449492a..44422fb53 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.acroread +++ b/profiles/apparmor/profiles/extras/usr.bin.acroread @@ -26,7 +26,7 @@ include capability dac_override, - /usr/X11R6/bin/acroread mr, + @{exec_path} mr, /{usr/,}bin/basename mixr, /{usr/,}bin/bash mix, diff --git a/profiles/apparmor/profiles/extras/usr.bin.svnserve b/profiles/apparmor/profiles/extras/usr.bin.svnserve index bc3baca3e..7f7eef0f6 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.svnserve +++ b/profiles/apparmor/profiles/extras/usr.bin.svnserve @@ -19,7 +19,7 @@ include # network service ;) capability net_bind_service, - /usr/bin/svnserve mr, + @{exec_path} mr, /srv/svn/*/conf/* r, /srv/svn/*/format r, diff --git a/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay b/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay index a7e27e6b6..894c6f77a 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay +++ b/profiles/apparmor/profiles/extras/usr.lib.RealPlayer10.realplay @@ -41,7 +41,7 @@ include @{HOME}/ r, @{HOME}/.realplayerrc rw, - /usr/lib/RealPlayer10/realplay mr, + @{exec_path} mr, /usr/lib/RealPlayer10/** mr, /usr/lib/RealPlayer10/realplay.bin Pxr, /usr/lib/firefox/firefox.sh Pxr, diff --git a/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 b/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 index 6e74cac27..50ab6cda1 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 +++ b/profiles/apparmor/profiles/extras/usr.lib.evolution-data-server.evolution-data-server-1.10 @@ -33,7 +33,7 @@ include /usr/lib/GConf/**.so mr, /usr/lib/GConf/2/gconfd-2 Pxr, /usr/lib64/GConf/2/gconfd-2 Pxr, - /usr/lib/evolution-data-server/evolution-data-server-1.10 mr, + @{exec_path} mr, /usr/lib/evolution-data-server/evolution-data-server-* rmix, /usr/lib/evolution-data-server*/extensions r, /usr/lib/evolution-data-server*/extensions/lib*.so r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd index 27c7c9a0a..1b4e023b5 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd +++ b/profiles/apparmor/profiles/extras/usr.sbin.in.fingerd @@ -19,7 +19,7 @@ include @{HOME}/.plan r, @{HOME}/.project r, - /usr/sbin/in.fingerd mr, + @{exec_path} mr, /usr/bin/finger mix, /var/log/lastlog r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.oidentd b/profiles/apparmor/profiles/extras/usr.sbin.oidentd index 174dfd9f7..c1ca2d4aa 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.oidentd +++ b/profiles/apparmor/profiles/extras/usr.sbin.oidentd @@ -21,7 +21,7 @@ include capability dac_override, capability dac_read_search, - /usr/sbin/oidentd mr, + @{exec_path} mr, /etc/oidentd.conf r, /etc/oidentd_masq.conf r, From 6e9ff1fa618c8b226b64f2ac6488c522d79be805 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 28 Apr 2025 13:17:49 -0700 Subject: [PATCH 3/6] profiles: update the rest of the profiles to use @{exec_path} Signed-off-by: John Johansen --- profiles/apparmor.d/1password | 1 + profiles/apparmor.d/Discord | 1 + profiles/apparmor.d/MongoDB_Compass | 1 + profiles/apparmor.d/QtWebEngineProcess | 1 + profiles/apparmor.d/Xorg | 2 +- profiles/apparmor.d/balena-etcher | 1 + profiles/apparmor.d/brave | 1 + profiles/apparmor.d/buildah | 1 + profiles/apparmor.d/busybox | 1 + profiles/apparmor.d/cam | 1 + profiles/apparmor.d/ch-checkns | 1 + profiles/apparmor.d/ch-run | 1 + profiles/apparmor.d/chrome | 1 + profiles/apparmor.d/chromium | 1 + profiles/apparmor.d/code | 1 + profiles/apparmor.d/crun | 1 + profiles/apparmor.d/devhelp | 1 + profiles/apparmor.d/element-desktop | 1 + profiles/apparmor.d/epiphany | 1 + profiles/apparmor.d/evolution | 1 + profiles/apparmor.d/firefox | 2 ++ profiles/apparmor.d/flatpak | 1 + profiles/apparmor.d/foliate | 1 + profiles/apparmor.d/fusermount3 | 2 +- profiles/apparmor.d/geary | 1 + profiles/apparmor.d/github-desktop | 1 + profiles/apparmor.d/goldendict | 1 + profiles/apparmor.d/iotop-c | 2 +- profiles/apparmor.d/ipa_verify | 3 +++ profiles/apparmor.d/kchmviewer | 1 + profiles/apparmor.d/keybase | 1 + profiles/apparmor.d/lc-compliance | 1 + profiles/apparmor.d/ldpd | 2 +- profiles/apparmor.d/libcamerify | 1 + profiles/apparmor.d/linux-sandbox | 1 + profiles/apparmor.d/loupe | 1 + profiles/apparmor.d/lsb_release | 1 - profiles/apparmor.d/lsblk | 2 +- profiles/apparmor.d/lxc-attach | 1 + profiles/apparmor.d/lxc-create | 1 + profiles/apparmor.d/lxc-destroy | 1 + profiles/apparmor.d/lxc-execute | 1 + profiles/apparmor.d/lxc-stop | 1 + profiles/apparmor.d/lxc-unshare | 1 + profiles/apparmor.d/lxc-usernsexec | 1 + profiles/apparmor.d/mmdebstrap | 1 + profiles/apparmor.d/msedge | 1 + profiles/apparmor.d/nautilus | 1 + profiles/apparmor.d/notepadqq | 1 + profiles/apparmor.d/nvidia_modprobe | 2 -- profiles/apparmor.d/obsidian | 1 + profiles/apparmor.d/opam | 1 + profiles/apparmor.d/opera | 1 + profiles/apparmor.d/pageedit | 1 + profiles/apparmor.d/php-fpm | 2 +- profiles/apparmor.d/plasmashell | 1 + profiles/apparmor.d/podman | 1 + profiles/apparmor.d/polypane | 1 + profiles/apparmor.d/privacybrowser | 1 + profiles/apparmor.d/qcam | 1 + profiles/apparmor.d/qmapshack | 1 + profiles/apparmor.d/qutebrowser | 1 + profiles/apparmor.d/remmina | 2 +- profiles/apparmor.d/rootlesskit | 1 + profiles/apparmor.d/rpm | 1 + profiles/apparmor.d/rssguard | 1 + profiles/apparmor.d/runc | 1 + profiles/apparmor.d/rygel | 2 +- profiles/apparmor.d/samba-bgqd | 2 +- profiles/apparmor.d/samba-dcerpcd | 2 +- profiles/apparmor.d/samba-rpcd | 2 +- profiles/apparmor.d/samba-rpcd-classic | 2 +- profiles/apparmor.d/samba-rpcd-spoolss | 2 +- profiles/apparmor.d/sbin.klogd | 2 +- profiles/apparmor.d/sbin.syslog-ng | 2 +- profiles/apparmor.d/sbin.syslogd | 2 +- profiles/apparmor.d/sbuild | 3 ++- profiles/apparmor.d/sbuild-abort | 3 ++- profiles/apparmor.d/sbuild-adduser | 3 ++- profiles/apparmor.d/sbuild-apt | 3 ++- profiles/apparmor.d/sbuild-checkpackages | 3 ++- profiles/apparmor.d/sbuild-clean | 3 ++- profiles/apparmor.d/sbuild-createchroot | 3 ++- profiles/apparmor.d/sbuild-destroychroot | 3 ++- profiles/apparmor.d/sbuild-distupgrade | 3 ++- profiles/apparmor.d/sbuild-hold | 3 ++- profiles/apparmor.d/sbuild-shell | 3 ++- profiles/apparmor.d/sbuild-unhold | 3 ++- profiles/apparmor.d/sbuild-update | 3 ++- profiles/apparmor.d/sbuild-upgrade | 3 ++- profiles/apparmor.d/scide | 1 + profiles/apparmor.d/signal-desktop | 1 + profiles/apparmor.d/slack | 1 + profiles/apparmor.d/slirp4netns | 1 + profiles/apparmor.d/steam | 1 + profiles/apparmor.d/stress-ng | 1 + profiles/apparmor.d/surfshark | 1 + profiles/apparmor.d/systemd-coredump | 1 + profiles/apparmor.d/tar | 1 + profiles/apparmor.d/thunderbird | 1 + profiles/apparmor.d/tinyproxy | 2 +- profiles/apparmor.d/trinity | 1 + profiles/apparmor.d/tshark | 2 +- profiles/apparmor.d/tup | 1 + profiles/apparmor.d/tuxedo-control-center | 1 + profiles/apparmor.d/unix-chkpwd | 2 +- profiles/apparmor.d/userbindmount | 1 + profiles/apparmor.d/usr.bin.hwctl | 6 ++++-- profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 | 1 + profiles/apparmor.d/usr.lib.dovecot.anvil | 2 +- profiles/apparmor.d/usr.lib.dovecot.auth | 2 +- profiles/apparmor.d/usr.lib.dovecot.config | 2 +- profiles/apparmor.d/usr.lib.dovecot.deliver | 2 +- profiles/apparmor.d/usr.lib.dovecot.dict | 2 +- profiles/apparmor.d/usr.lib.dovecot.director | 2 +- profiles/apparmor.d/usr.lib.dovecot.doveadm-server | 2 +- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth | 2 +- profiles/apparmor.d/usr.lib.dovecot.dovecot-lda | 2 +- profiles/apparmor.d/usr.lib.dovecot.imap | 2 +- profiles/apparmor.d/usr.lib.dovecot.imap-login | 2 +- profiles/apparmor.d/usr.lib.dovecot.lmtp | 2 +- profiles/apparmor.d/usr.lib.dovecot.log | 2 +- profiles/apparmor.d/usr.lib.dovecot.managesieve | 2 +- profiles/apparmor.d/usr.lib.dovecot.managesieve-login | 2 +- profiles/apparmor.d/usr.lib.dovecot.pop3 | 4 ++-- profiles/apparmor.d/usr.lib.dovecot.pop3-login | 2 +- profiles/apparmor.d/usr.lib.dovecot.replicator | 2 +- profiles/apparmor.d/usr.lib.dovecot.script-login | 2 +- profiles/apparmor.d/usr.lib.dovecot.ssl-params | 2 +- profiles/apparmor.d/usr.lib.dovecot.stats | 2 +- profiles/apparmor.d/usr.sbin.apache2 | 1 + profiles/apparmor.d/usr.sbin.avahi-daemon | 2 +- profiles/apparmor.d/usr.sbin.dnsmasq | 2 +- profiles/apparmor.d/usr.sbin.dovecot | 2 +- profiles/apparmor.d/usr.sbin.identd | 2 +- profiles/apparmor.d/usr.sbin.mdnsd | 2 +- profiles/apparmor.d/usr.sbin.nmbd | 2 +- profiles/apparmor.d/usr.sbin.nscd | 2 +- profiles/apparmor.d/usr.sbin.ntpd | 2 +- profiles/apparmor.d/usr.sbin.smbd | 2 +- profiles/apparmor.d/usr.sbin.smbldap-useradd | 2 +- profiles/apparmor.d/usr.sbin.traceroute | 2 +- profiles/apparmor.d/usr.sbin.winbindd | 2 +- profiles/apparmor.d/uwsgi-core | 1 + profiles/apparmor.d/vdens | 1 + profiles/apparmor.d/virtiofsd | 1 + profiles/apparmor.d/vivaldi-bin | 1 + profiles/apparmor.d/vpnns | 1 + profiles/apparmor.d/wg | 2 +- profiles/apparmor.d/wg-quick | 2 +- profiles/apparmor.d/wike | 1 + profiles/apparmor.d/wpcom | 1 + profiles/apparmor/profiles/extras/bin.netstat | 3 ++- profiles/apparmor/profiles/extras/chromium_browser | 2 +- profiles/apparmor/profiles/extras/etc.cron.daily.logrotate | 2 +- .../apparmor/profiles/extras/etc.cron.daily.slocate.cron | 2 +- profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch | 2 +- profiles/apparmor/profiles/extras/firefox.sh | 2 +- profiles/apparmor/profiles/extras/postfix-anvil | 2 +- profiles/apparmor/profiles/extras/postfix-bounce | 2 +- profiles/apparmor/profiles/extras/postfix-cleanup | 2 +- profiles/apparmor/profiles/extras/postfix-discard | 2 +- profiles/apparmor/profiles/extras/postfix-dnsblog | 2 +- profiles/apparmor/profiles/extras/postfix-error | 2 +- profiles/apparmor/profiles/extras/postfix-flush | 2 +- profiles/apparmor/profiles/extras/postfix-lmtp | 2 +- profiles/apparmor/profiles/extras/postfix-local | 2 +- profiles/apparmor/profiles/extras/postfix-master | 2 +- profiles/apparmor/profiles/extras/postfix-nqmgr | 2 +- profiles/apparmor/profiles/extras/postfix-oqmgr | 2 +- profiles/apparmor/profiles/extras/postfix-pickup | 2 +- profiles/apparmor/profiles/extras/postfix-pipe | 2 +- profiles/apparmor/profiles/extras/postfix-postscreen | 2 +- profiles/apparmor/profiles/extras/postfix-proxymap | 2 +- profiles/apparmor/profiles/extras/postfix-qmgr | 2 +- profiles/apparmor/profiles/extras/postfix-qmqpd | 2 +- profiles/apparmor/profiles/extras/postfix-scache | 2 +- profiles/apparmor/profiles/extras/postfix-showq | 2 +- profiles/apparmor/profiles/extras/postfix-smtp | 2 +- profiles/apparmor/profiles/extras/postfix-smtpd | 2 +- profiles/apparmor/profiles/extras/postfix-spawn | 2 +- profiles/apparmor/profiles/extras/postfix-tlsmgr | 2 +- profiles/apparmor/profiles/extras/postfix-tlsproxy | 2 +- profiles/apparmor/profiles/extras/postfix-trivial-rewrite | 2 +- profiles/apparmor/profiles/extras/postfix-verify | 2 +- profiles/apparmor/profiles/extras/postfix-virtual | 2 +- profiles/apparmor/profiles/extras/rpcbind | 2 +- profiles/apparmor/profiles/extras/sbin.dhclient | 2 +- profiles/apparmor/profiles/extras/sbin.dhclient-script | 2 +- profiles/apparmor/profiles/extras/sbin.dhcpcd | 2 +- profiles/apparmor/profiles/extras/sbin.portmap | 2 +- profiles/apparmor/profiles/extras/sbin.resmgrd | 2 +- profiles/apparmor/profiles/extras/sbin.rpc.lockd | 2 +- profiles/apparmor/profiles/extras/sbin.rpc.statd | 2 +- profiles/apparmor/profiles/extras/socat | 2 +- profiles/apparmor/profiles/extras/usr.NX.bin.nxclient | 2 +- profiles/apparmor/profiles/extras/usr.bin.apropos | 2 +- profiles/apparmor/profiles/extras/usr.bin.dumpcap | 2 +- profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 | 2 +- profiles/apparmor/profiles/extras/usr.bin.fam | 2 +- profiles/apparmor/profiles/extras/usr.bin.freshclam | 3 ++- profiles/apparmor/profiles/extras/usr.bin.gaim | 2 +- profiles/apparmor/profiles/extras/usr.bin.man | 2 +- profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce | 2 +- profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd | 2 +- profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh | 2 +- profiles/apparmor/profiles/extras/usr.bin.mlmmj-process | 3 ++- profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive | 2 +- profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve | 2 +- profiles/apparmor/profiles/extras/usr.bin.mlmmj-send | 2 +- profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub | 2 +- profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub | 2 +- profiles/apparmor/profiles/extras/usr.bin.opera | 3 ++- profiles/apparmor/profiles/extras/usr.bin.passwd | 2 +- profiles/apparmor/profiles/extras/usr.bin.procmail | 2 +- profiles/apparmor/profiles/extras/usr.bin.pyzorsocket | 2 +- profiles/apparmor/profiles/extras/usr.bin.razorsocket | 2 +- profiles/apparmor/profiles/extras/usr.bin.skype | 2 +- profiles/apparmor/profiles/extras/usr.bin.spamc | 2 +- profiles/apparmor/profiles/extras/usr.bin.wireshark | 2 +- profiles/apparmor/profiles/extras/usr.bin.xfs | 2 +- profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 | 2 +- .../profiles/extras/usr.lib.bonobo.bonobo-activation-server | 2 +- .../profiles/extras/usr.lib.firefox.mozilla-xremote-client | 2 +- profiles/apparmor/profiles/extras/usr.lib.man-db.man | 2 +- .../apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 | 2 +- profiles/apparmor/profiles/extras/usr.sbin.clamd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.cupsd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.dhcpd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.haproxy | 2 +- profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork | 2 +- profiles/apparmor/profiles/extras/usr.sbin.imapd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.in.ftpd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.ipop2d | 2 +- profiles/apparmor/profiles/extras/usr.sbin.ipop3d | 2 +- profiles/apparmor/profiles/extras/usr.sbin.lighttpd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.mysqld | 2 +- profiles/apparmor/profiles/extras/usr.sbin.popper | 2 +- profiles/apparmor/profiles/extras/usr.sbin.postalias | 2 +- profiles/apparmor/profiles/extras/usr.sbin.postdrop | 2 +- profiles/apparmor/profiles/extras/usr.sbin.postmap | 2 +- profiles/apparmor/profiles/extras/usr.sbin.postqueue | 2 +- profiles/apparmor/profiles/extras/usr.sbin.sendmail | 6 +++--- profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix | 2 +- .../apparmor/profiles/extras/usr.sbin.sendmail.sendmail | 2 +- profiles/apparmor/profiles/extras/usr.sbin.spamd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.squid | 2 +- profiles/apparmor/profiles/extras/usr.sbin.sshd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.useradd | 4 ++-- profiles/apparmor/profiles/extras/usr.sbin.userdel | 6 +++--- profiles/apparmor/profiles/extras/usr.sbin.vsftpd | 2 +- profiles/apparmor/profiles/extras/usr.sbin.xinetd | 2 +- 253 files changed, 281 insertions(+), 180 deletions(-) diff --git a/profiles/apparmor.d/1password b/profiles/apparmor.d/1password index 2cd14489d..0835f4adb 100644 --- a/profiles/apparmor.d/1password +++ b/profiles/apparmor.d/1password @@ -6,6 +6,7 @@ include profile 1password /opt/1Password/1password flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/Discord b/profiles/apparmor.d/Discord index 4e96b8fe7..835757c41 100644 --- a/profiles/apparmor.d/Discord +++ b/profiles/apparmor.d/Discord @@ -6,6 +6,7 @@ include profile Discord /usr/share/discord/Discord flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/MongoDB_Compass b/profiles/apparmor.d/MongoDB_Compass index 6c796ca62..c137c254d 100644 --- a/profiles/apparmor.d/MongoDB_Compass +++ b/profiles/apparmor.d/MongoDB_Compass @@ -6,6 +6,7 @@ include profile "MongoDB Compass" "/usr/lib/mongodb-compass/MongoDB Compass" flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/QtWebEngineProcess b/profiles/apparmor.d/QtWebEngineProcess index 65dec4807..39cb07911 100644 --- a/profiles/apparmor.d/QtWebEngineProcess +++ b/profiles/apparmor.d/QtWebEngineProcess @@ -6,6 +6,7 @@ include profile QtWebEngineProcess /usr/lib/@{multiarch}/qt{5,6}/libexec/QtWebEngineProcess flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/Xorg b/profiles/apparmor.d/Xorg index d3df23e8f..1230350f7 100644 --- a/profiles/apparmor.d/Xorg +++ b/profiles/apparmor.d/Xorg @@ -58,7 +58,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) { /{,usr/}bin/{bash,dash,sh} ix, /usr/bin/xkbcomp ix, - @{exec_path) mr, + @{exec_path} mr, @{PROC}/cmdline r, @{PROC}/@{pid}/cmdline r, diff --git a/profiles/apparmor.d/balena-etcher b/profiles/apparmor.d/balena-etcher index 9a55bcd2f..e502c002d 100644 --- a/profiles/apparmor.d/balena-etcher +++ b/profiles/apparmor.d/balena-etcher @@ -6,6 +6,7 @@ include profile balena-etcher /usr/lib/balena-etcher/balena-etcher flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/brave b/profiles/apparmor.d/brave index 4aba1a312..8db3a94e7 100644 --- a/profiles/apparmor.d/brave +++ b/profiles/apparmor.d/brave @@ -6,6 +6,7 @@ include profile brave /opt/brave.com/brave/brave flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/buildah b/profiles/apparmor.d/buildah index 4281dc6c1..54f2fbeea 100644 --- a/profiles/apparmor.d/buildah +++ b/profiles/apparmor.d/buildah @@ -6,6 +6,7 @@ include profile buildah /usr/bin/buildah flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/busybox b/profiles/apparmor.d/busybox index d726ddf0a..bb40accd6 100644 --- a/profiles/apparmor.d/busybox +++ b/profiles/apparmor.d/busybox @@ -6,6 +6,7 @@ include profile busybox /usr/bin/busybox flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/cam b/profiles/apparmor.d/cam index d56c55a0c..b51d4efc5 100644 --- a/profiles/apparmor.d/cam +++ b/profiles/apparmor.d/cam @@ -6,6 +6,7 @@ include profile cam /usr/bin/cam flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ch-checkns b/profiles/apparmor.d/ch-checkns index eafb55686..d6bf5cfe1 100644 --- a/profiles/apparmor.d/ch-checkns +++ b/profiles/apparmor.d/ch-checkns @@ -6,6 +6,7 @@ include profile ch-checkns /usr/bin/ch-checkns flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ch-run b/profiles/apparmor.d/ch-run index 2d20b4391..b2afd9b1a 100644 --- a/profiles/apparmor.d/ch-run +++ b/profiles/apparmor.d/ch-run @@ -6,6 +6,7 @@ include profile ch-run /usr/bin/ch-run flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/chrome b/profiles/apparmor.d/chrome index 085c19897..09805a3f5 100644 --- a/profiles/apparmor.d/chrome +++ b/profiles/apparmor.d/chrome @@ -6,6 +6,7 @@ include profile chrome /opt/google/chrome/chrome flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/chromium b/profiles/apparmor.d/chromium index 61132bb81..e0f25b2b0 100644 --- a/profiles/apparmor.d/chromium +++ b/profiles/apparmor.d/chromium @@ -8,6 +8,7 @@ include profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/code b/profiles/apparmor.d/code index d99054451..55e08f4ab 100644 --- a/profiles/apparmor.d/code +++ b/profiles/apparmor.d/code @@ -6,6 +6,7 @@ include profile vscode /usr/share/code{/bin,}/code flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/crun b/profiles/apparmor.d/crun index 04c9f4fdc..f0240ee71 100644 --- a/profiles/apparmor.d/crun +++ b/profiles/apparmor.d/crun @@ -6,6 +6,7 @@ include profile crun /usr/bin/crun flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/devhelp b/profiles/apparmor.d/devhelp index ed7891a13..901820daf 100644 --- a/profiles/apparmor.d/devhelp +++ b/profiles/apparmor.d/devhelp @@ -6,6 +6,7 @@ include profile devhelp /usr/bin/devhelp flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/element-desktop b/profiles/apparmor.d/element-desktop index 937a5b007..9ac946cd1 100644 --- a/profiles/apparmor.d/element-desktop +++ b/profiles/apparmor.d/element-desktop @@ -6,6 +6,7 @@ include profile element-desktop /opt/Element/element-desktop flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/epiphany b/profiles/apparmor.d/epiphany index 7a412d20f..c52950038 100644 --- a/profiles/apparmor.d/epiphany +++ b/profiles/apparmor.d/epiphany @@ -6,6 +6,7 @@ include profile epiphany /usr/bin/epiphany{,-browser} flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/evolution b/profiles/apparmor.d/evolution index 48b842bfb..1b88d7d09 100644 --- a/profiles/apparmor.d/evolution +++ b/profiles/apparmor.d/evolution @@ -6,6 +6,7 @@ include profile evolution /usr/bin/evolution flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/firefox b/profiles/apparmor.d/firefox index 4071c3453..d32eaa4dc 100644 --- a/profiles/apparmor.d/firefox +++ b/profiles/apparmor.d/firefox @@ -7,6 +7,8 @@ include profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) { userns, + @{exec_path} mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/flatpak b/profiles/apparmor.d/flatpak index 846978470..1c439deda 100644 --- a/profiles/apparmor.d/flatpak +++ b/profiles/apparmor.d/flatpak @@ -6,6 +6,7 @@ include profile flatpak /usr/bin/flatpak flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/foliate b/profiles/apparmor.d/foliate index efc3af14f..5b769b2e7 100644 --- a/profiles/apparmor.d/foliate +++ b/profiles/apparmor.d/foliate @@ -6,6 +6,7 @@ include profile foliate /usr/bin/foliate flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/fusermount3 b/profiles/apparmor.d/fusermount3 index f159a1b31..39c99eced 100644 --- a/profiles/apparmor.d/fusermount3 +++ b/profiles/apparmor.d/fusermount3 @@ -36,7 +36,7 @@ profile fusermount3 /usr/bin/fusermount3 { @{etc_ro}/fuse.conf r, @{PROC}/@{pid}/mounts r, - /usr/bin/fusermount3 mr, + @{exec_path} mr, include if exists } diff --git a/profiles/apparmor.d/geary b/profiles/apparmor.d/geary index 6e65176ce..05cc1d314 100644 --- a/profiles/apparmor.d/geary +++ b/profiles/apparmor.d/geary @@ -6,6 +6,7 @@ include profile geary /usr/bin/geary flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/github-desktop b/profiles/apparmor.d/github-desktop index d2c090874..da86c2070 100644 --- a/profiles/apparmor.d/github-desktop +++ b/profiles/apparmor.d/github-desktop @@ -6,6 +6,7 @@ include profile github-desktop /usr/lib/github-desktop/github-desktop flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/goldendict b/profiles/apparmor.d/goldendict index bb81eb914..40fe352a6 100644 --- a/profiles/apparmor.d/goldendict +++ b/profiles/apparmor.d/goldendict @@ -6,6 +6,7 @@ include profile goldendict /usr/bin/goldendict flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/iotop-c b/profiles/apparmor.d/iotop-c index f02fbc7a6..343a29f27 100644 --- a/profiles/apparmor.d/iotop-c +++ b/profiles/apparmor.d/iotop-c @@ -15,7 +15,7 @@ profile iotop-c /usr/sbin/iotop-c { /proc/*/cmdline r, /proc/*/task/ r, - /usr/sbin/iotop-c mr, + @{exec_path} mr, /proc/ r, /proc/sys/kernel/task_delayacct rw, /proc/vmstat r, diff --git a/profiles/apparmor.d/ipa_verify b/profiles/apparmor.d/ipa_verify index f2a90bade..0b12f98da 100644 --- a/profiles/apparmor.d/ipa_verify +++ b/profiles/apparmor.d/ipa_verify @@ -3,6 +3,9 @@ abi , include @{arg1}=/**/*.so +profile ipa_verify /usr/bin/ipa_verify flags=(unconfined) { + userns, + @{exec_path} mr, profile ipa_verify /usr/bin/ipa_verify { include diff --git a/profiles/apparmor.d/kchmviewer b/profiles/apparmor.d/kchmviewer index a604d90a8..978d6c616 100644 --- a/profiles/apparmor.d/kchmviewer +++ b/profiles/apparmor.d/kchmviewer @@ -6,6 +6,7 @@ include profile kchmviewer /usr/bin/kchmviewer flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/keybase b/profiles/apparmor.d/keybase index 1cd646d66..e84803909 100644 --- a/profiles/apparmor.d/keybase +++ b/profiles/apparmor.d/keybase @@ -6,6 +6,7 @@ include profile keybase /opt/keybase/Keybase flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lc-compliance b/profiles/apparmor.d/lc-compliance index e7eb13ae0..774b98924 100644 --- a/profiles/apparmor.d/lc-compliance +++ b/profiles/apparmor.d/lc-compliance @@ -6,6 +6,7 @@ include profile lc-compliance /usr/bin/lc-compliance flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/ldpd b/profiles/apparmor.d/ldpd index 7e169322b..66229cbbd 100644 --- a/profiles/apparmor.d/ldpd +++ b/profiles/apparmor.d/ldpd @@ -18,7 +18,7 @@ profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) { include include - /usr/lib/frr/ldpd ix, + @{exec_path} mrix, @{run}/frr/ldpd.sock rw, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/libcamerify b/profiles/apparmor.d/libcamerify index 3751b941c..704d80756 100644 --- a/profiles/apparmor.d/libcamerify +++ b/profiles/apparmor.d/libcamerify @@ -6,6 +6,7 @@ include profile libcamerify /usr/bin/libcamerify flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/linux-sandbox b/profiles/apparmor.d/linux-sandbox index 94f365a00..e88937af1 100644 --- a/profiles/apparmor.d/linux-sandbox +++ b/profiles/apparmor.d/linux-sandbox @@ -6,6 +6,7 @@ include profile linux-sandbox /usr/libexec/@{multiarch}/bazel/linux-sandbox flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/loupe b/profiles/apparmor.d/loupe index f1beaac75..3f8266889 100644 --- a/profiles/apparmor.d/loupe +++ b/profiles/apparmor.d/loupe @@ -6,6 +6,7 @@ include profile loupe /usr/bin/loupe flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lsb_release b/profiles/apparmor.d/lsb_release index 3f4091804..6e515cd7d 100644 --- a/profiles/apparmor.d/lsb_release +++ b/profiles/apparmor.d/lsb_release @@ -18,7 +18,6 @@ profile lsb_release { /dev/tty rw, - /usr/bin/lsb_release r, /usr/bin/python3.{1,}[0-9] mr, /etc/debian_version r, diff --git a/profiles/apparmor.d/lsblk b/profiles/apparmor.d/lsblk index 1b3524474..9878ded48 100644 --- a/profiles/apparmor.d/lsblk +++ b/profiles/apparmor.d/lsblk @@ -17,7 +17,7 @@ profile lsblk /usr/bin/lsblk { include include - /usr/bin/lsblk mr, + @{exec_path} mr, @{sys}/block/ r, @{sys}/class/block/ r, diff --git a/profiles/apparmor.d/lxc-attach b/profiles/apparmor.d/lxc-attach index f3846106a..a0ad03453 100644 --- a/profiles/apparmor.d/lxc-attach +++ b/profiles/apparmor.d/lxc-attach @@ -6,6 +6,7 @@ include profile lxc-attach /usr/bin/lxc-attach flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-create b/profiles/apparmor.d/lxc-create index 44c5038a0..579826b7c 100644 --- a/profiles/apparmor.d/lxc-create +++ b/profiles/apparmor.d/lxc-create @@ -6,6 +6,7 @@ include profile lxc-create /usr/bin/lxc-create flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-destroy b/profiles/apparmor.d/lxc-destroy index 862b946fd..831fa9d2e 100644 --- a/profiles/apparmor.d/lxc-destroy +++ b/profiles/apparmor.d/lxc-destroy @@ -6,6 +6,7 @@ include profile lxc-destroy /usr/bin/lxc-destroy flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-execute b/profiles/apparmor.d/lxc-execute index 8629fa4da..9c8056ac7 100644 --- a/profiles/apparmor.d/lxc-execute +++ b/profiles/apparmor.d/lxc-execute @@ -6,6 +6,7 @@ include profile lxc-execute /usr/bin/lxc-execute flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-stop b/profiles/apparmor.d/lxc-stop index cb769df3e..65c762396 100644 --- a/profiles/apparmor.d/lxc-stop +++ b/profiles/apparmor.d/lxc-stop @@ -6,6 +6,7 @@ include profile lxc-stop /usr/bin/lxc-stop flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-unshare b/profiles/apparmor.d/lxc-unshare index 36ca0ea91..8d17ed842 100644 --- a/profiles/apparmor.d/lxc-unshare +++ b/profiles/apparmor.d/lxc-unshare @@ -6,6 +6,7 @@ include profile lxc-unshare /usr/bin/lxc-unshare flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/lxc-usernsexec b/profiles/apparmor.d/lxc-usernsexec index 4295abcc7..f826e0f07 100644 --- a/profiles/apparmor.d/lxc-usernsexec +++ b/profiles/apparmor.d/lxc-usernsexec @@ -6,6 +6,7 @@ include profile lxc-usernsexec /usr/bin/lxc-usernsexec flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/mmdebstrap b/profiles/apparmor.d/mmdebstrap index d7fea3c28..ddb97a317 100644 --- a/profiles/apparmor.d/mmdebstrap +++ b/profiles/apparmor.d/mmdebstrap @@ -6,6 +6,7 @@ include profile mmdebstrap /usr/bin/mmdebstrap flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/msedge b/profiles/apparmor.d/msedge index 0e3a1b336..a02b82599 100644 --- a/profiles/apparmor.d/msedge +++ b/profiles/apparmor.d/msedge @@ -6,6 +6,7 @@ include profile msedge /opt/microsoft/msedge/msedge flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/nautilus b/profiles/apparmor.d/nautilus index d4031a0ea..c488cd7fd 100644 --- a/profiles/apparmor.d/nautilus +++ b/profiles/apparmor.d/nautilus @@ -6,6 +6,7 @@ include profile nautilus /usr/bin/nautilus flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/notepadqq b/profiles/apparmor.d/notepadqq index e1d4160ed..0586aef2b 100644 --- a/profiles/apparmor.d/notepadqq +++ b/profiles/apparmor.d/notepadqq @@ -6,6 +6,7 @@ include profile notepadqq /{{usr/bin,etc/alternatives}/notepadqq,usr/lib/notepadqq/notepadqq.sh} flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/nvidia_modprobe b/profiles/apparmor.d/nvidia_modprobe index ccf5300d6..6ba5eb3fa 100644 --- a/profiles/apparmor.d/nvidia_modprobe +++ b/profiles/apparmor.d/nvidia_modprobe @@ -16,8 +16,6 @@ profile nvidia_modprobe { # Main executable - /usr/bin/nvidia-modprobe mr, - # Other executables /usr/bin/kmod Cx -> kmod, diff --git a/profiles/apparmor.d/obsidian b/profiles/apparmor.d/obsidian index 3d6ef7f44..9d9e5a520 100644 --- a/profiles/apparmor.d/obsidian +++ b/profiles/apparmor.d/obsidian @@ -6,6 +6,7 @@ include profile obsidian /opt/Obsidian/obsidian flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/opam b/profiles/apparmor.d/opam index b0cd7a661..ebe6b4a08 100644 --- a/profiles/apparmor.d/opam +++ b/profiles/apparmor.d/opam @@ -6,6 +6,7 @@ include profile opam /usr/bin/opam flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/opera b/profiles/apparmor.d/opera index cbf88c661..ee179af8c 100644 --- a/profiles/apparmor.d/opera +++ b/profiles/apparmor.d/opera @@ -6,6 +6,7 @@ include profile opera /usr/lib/@{multiarch}/opera/opera flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/pageedit b/profiles/apparmor.d/pageedit index baa0da7b4..b52eea705 100644 --- a/profiles/apparmor.d/pageedit +++ b/profiles/apparmor.d/pageedit @@ -6,6 +6,7 @@ include profile pageedit /usr/bin/pageedit flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm index 29dd205d7..f100e1e38 100644 --- a/profiles/apparmor.d/php-fpm +++ b/profiles/apparmor.d/php-fpm @@ -40,7 +40,7 @@ profile php-fpm /usr/{bin,sbin}/php-fpm* flags=(attach_disconnected) { owner @{run}/systemd/notify w, # to reload - /usr/{bin,sbin}/php-fpm* rix, + @{exec_path} rix, # no idea why php tries to open / read/write deny / rw, diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell index 6b1616d97..ea663d67e 100644 --- a/profiles/apparmor.d/plasmashell +++ b/profiles/apparmor.d/plasmashell @@ -26,6 +26,7 @@ profile plasmashell /usr/bin/plasmashell { /** pux, /{,**} mrwlk, + @{exec_path} mr, profile QtWebEngineProcess { capability, diff --git a/profiles/apparmor.d/podman b/profiles/apparmor.d/podman index 54e29e220..a12d1d383 100644 --- a/profiles/apparmor.d/podman +++ b/profiles/apparmor.d/podman @@ -6,6 +6,7 @@ include profile podman /usr/bin/podman flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/polypane b/profiles/apparmor.d/polypane index ebe60e04d..f985214ad 100644 --- a/profiles/apparmor.d/polypane +++ b/profiles/apparmor.d/polypane @@ -6,6 +6,7 @@ include profile polypane /opt/Polypane/polypane flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/privacybrowser b/profiles/apparmor.d/privacybrowser index ee010b7a2..726e7e632 100644 --- a/profiles/apparmor.d/privacybrowser +++ b/profiles/apparmor.d/privacybrowser @@ -6,6 +6,7 @@ include profile privacybrowser /usr/bin/privacybrowser flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/qcam b/profiles/apparmor.d/qcam index 5da2f7bdd..c9f818265 100644 --- a/profiles/apparmor.d/qcam +++ b/profiles/apparmor.d/qcam @@ -6,6 +6,7 @@ include profile qcam /usr/bin/qcam flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/qmapshack b/profiles/apparmor.d/qmapshack index 20ffad169..71838ba58 100644 --- a/profiles/apparmor.d/qmapshack +++ b/profiles/apparmor.d/qmapshack @@ -6,6 +6,7 @@ include profile qmapshack /usr/bin/qmapshack flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/qutebrowser b/profiles/apparmor.d/qutebrowser index bc92a9910..43f4d7de9 100644 --- a/profiles/apparmor.d/qutebrowser +++ b/profiles/apparmor.d/qutebrowser @@ -6,6 +6,7 @@ include profile qutebrowser /usr/bin/qutebrowser flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/remmina b/profiles/apparmor.d/remmina index 621620268..f070d7f38 100644 --- a/profiles/apparmor.d/remmina +++ b/profiles/apparmor.d/remmina @@ -49,7 +49,7 @@ profile remmina /usr/bin/remmina { dbus (send) bus=system path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member=RegisterStatusNotifierItem peer=(label=@{StatusNotifierWatcher}), @{etc_ro}/fstab r, - /usr/bin/remmina mr, + @{exec_path} mr, /usr/share/remmina/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, /etc/debian_version r, diff --git a/profiles/apparmor.d/rootlesskit b/profiles/apparmor.d/rootlesskit index d5f4ac963..5aa9e6e52 100644 --- a/profiles/apparmor.d/rootlesskit +++ b/profiles/apparmor.d/rootlesskit @@ -6,6 +6,7 @@ include profile rootlesskit /usr/bin/rootlesskit flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/rpm b/profiles/apparmor.d/rpm index 04c95a629..6cef21c07 100644 --- a/profiles/apparmor.d/rpm +++ b/profiles/apparmor.d/rpm @@ -6,6 +6,7 @@ include profile rpm /usr/bin/rpm flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/rssguard b/profiles/apparmor.d/rssguard index 33b7d338e..b84604fa8 100644 --- a/profiles/apparmor.d/rssguard +++ b/profiles/apparmor.d/rssguard @@ -6,6 +6,7 @@ include profile rssguard /usr/bin/rssguard flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/runc b/profiles/apparmor.d/runc index d42549503..cb009d4ae 100644 --- a/profiles/apparmor.d/runc +++ b/profiles/apparmor.d/runc @@ -6,6 +6,7 @@ include profile runc /usr/{bin,sbin}/runc flags=(unconfined) { userns, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/rygel b/profiles/apparmor.d/rygel index c19dc33ef..fed258c98 100644 --- a/profiles/apparmor.d/rygel +++ b/profiles/apparmor.d/rygel @@ -32,7 +32,7 @@ profile rygel /usr/bin/rygel { file r @{etc_ro}/rygel.conf, - file mr /usr/bin/rygel, + file mr @{exec_path}, file Cx /usr/libexec/rygel/mx-extract -> mx-extract, diff --git a/profiles/apparmor.d/samba-bgqd b/profiles/apparmor.d/samba-bgqd index 81d4953cd..cb77a7ca2 100644 --- a/profiles/apparmor.d/samba-bgqd +++ b/profiles/apparmor.d/samba-bgqd @@ -15,7 +15,7 @@ profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd { @{run}/{,samba/}samba-bgqd.pid rwk, - /usr/lib*/samba/{,samba/}samba-bgqd mr, + @{exec_path} mr, /var/cache/samba/printing/*.tdb rwk, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/samba-dcerpcd b/profiles/apparmor.d/samba-dcerpcd index d16827666..02bc06a8a 100644 --- a/profiles/apparmor.d/samba-dcerpcd +++ b/profiles/apparmor.d/samba-dcerpcd @@ -20,7 +20,7 @@ profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd { @{run}/{,samba/}samba-dcerpcd.pid rwk, - /usr/lib*/samba/{,samba/}samba-dcerpcd mr, + @{exec_path} mr, /usr/lib*/samba/ r, /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd, diff --git a/profiles/apparmor.d/samba-rpcd b/profiles/apparmor.d/samba-rpcd index 22d79129e..f1864f4c0 100644 --- a/profiles/apparmor.d/samba-rpcd +++ b/profiles/apparmor.d/samba-rpcd @@ -18,7 +18,7 @@ profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp, capability sys_resource, - /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr, + @{exec_path} mr, @{run}/samba/ncalrpc/np/lsarpc wr, @{run}/samba/ncalrpc/np/mdssvc wr, diff --git a/profiles/apparmor.d/samba-rpcd-classic b/profiles/apparmor.d/samba-rpcd-classic index 3943aa98b..c7beb2f90 100644 --- a/profiles/apparmor.d/samba-rpcd-classic +++ b/profiles/apparmor.d/samba-rpcd-classic @@ -19,7 +19,7 @@ profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic { capability sys_resource, - /usr/lib*/samba/{,samba/}rpcd_classic mr, + @{exec_path} mr, @{run}/samba/ncalrpc/np/srvsvc wr, @{run}/samba/ncalrpc/np/winreg wr, diff --git a/profiles/apparmor.d/samba-rpcd-spoolss b/profiles/apparmor.d/samba-rpcd-spoolss index 215e85abd..760975866 100644 --- a/profiles/apparmor.d/samba-rpcd-spoolss +++ b/profiles/apparmor.d/samba-rpcd-spoolss @@ -16,7 +16,7 @@ include profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss { include - /usr/lib*/samba/{,samba/}rpcd_spoolss mr, + @{exec_path} mr, /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd, /var/cache/samba/printing/ w, /var/cache/samba/printing/*.tdb rwk, diff --git a/profiles/apparmor.d/sbin.klogd b/profiles/apparmor.d/sbin.klogd index 918a38e52..38bf69334 100644 --- a/profiles/apparmor.d/sbin.klogd +++ b/profiles/apparmor.d/sbin.klogd @@ -26,7 +26,7 @@ profile klogd /{usr/,}{bin,sbin}/klogd { @{PROC}/kallsyms r, /dev/tty rw, - /{usr/,}{bin,sbin}/klogd rmix, + @{exec_path} mrix, /var/log/boot.msg rwl, @{run}/klogd.pid krwl, @{run}/klogd/klogd.pid krwl, diff --git a/profiles/apparmor.d/sbin.syslog-ng b/profiles/apparmor.d/sbin.syslog-ng index 4936fadd1..bfe0dbe59 100644 --- a/profiles/apparmor.d/sbin.syslog-ng +++ b/profiles/apparmor.d/sbin.syslog-ng @@ -47,7 +47,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng { /etc/syslog-ng/conf.d/ r, /etc/syslog-ng/conf.d/* r, @{PROC}/kmsg r, - /{usr/,}{bin,sbin}/syslog-ng mr, + @{exec_path} mr, @{sys}/devices/system/cpu/online r, /usr/share/syslog-ng/** r, /var/lib/syslog-ng/syslog-ng-?????.qf rw, diff --git a/profiles/apparmor.d/sbin.syslogd b/profiles/apparmor.d/sbin.syslogd index 847c0c1a6..e1de1af29 100644 --- a/profiles/apparmor.d/sbin.syslogd +++ b/profiles/apparmor.d/sbin.syslogd @@ -38,7 +38,7 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd { /etc/syslog.conf r, /etc/syslog.d/ r, /etc/syslog.d/* r, - /{usr/,}{bin,sbin}/syslogd rmix, + @{exec_path} mrix, /var/log/** rw, @{run}/syslog.pid krwl, @{run}/syslogd.pid krwl, diff --git a/profiles/apparmor.d/sbuild b/profiles/apparmor.d/sbuild index 28f3e41d7..adbab704f 100644 --- a/profiles/apparmor.d/sbuild +++ b/profiles/apparmor.d/sbuild @@ -8,8 +8,9 @@ profile sbuild /usr/bin/sbuild flags=(attach_disconnected mediate_deleted) { allow all, userns, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at lower priority /usr/bin/unshare ix, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/sbuild-abort b/profiles/apparmor.d/sbuild-abort index 77b60db3f..21a6f54db 100644 --- a/profiles/apparmor.d/sbuild-abort +++ b/profiles/apparmor.d/sbuild-abort @@ -6,8 +6,9 @@ include profile sbuild-abort /usr/bin/sbuild-abort flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all is at lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-adduser b/profiles/apparmor.d/sbuild-adduser index bb67c50e7..ada1cd389 100644 --- a/profiles/apparmor.d/sbuild-adduser +++ b/profiles/apparmor.d/sbuild-adduser @@ -6,8 +6,9 @@ include profile sbuild-adduser /usr/sbin/sbuild-adduser flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-apt b/profiles/apparmor.d/sbuild-apt index f50fc4f3b..3d3a1e18f 100644 --- a/profiles/apparmor.d/sbuild-apt +++ b/profiles/apparmor.d/sbuild-apt @@ -6,8 +6,9 @@ include profile sbuild-apt /usr/bin/sbuild-apt flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-checkpackages b/profiles/apparmor.d/sbuild-checkpackages index c4f8812d1..f4ebb2b8e 100644 --- a/profiles/apparmor.d/sbuild-checkpackages +++ b/profiles/apparmor.d/sbuild-checkpackages @@ -6,8 +6,9 @@ include profile sbuild-checkpackages /usr/bin/sbuild-checkpackages flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow ix is at lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-clean b/profiles/apparmor.d/sbuild-clean index eca646a51..40a9923db 100644 --- a/profiles/apparmor.d/sbuild-clean +++ b/profiles/apparmor.d/sbuild-clean @@ -6,8 +6,9 @@ include profile sbuild-clean /usr/bin/sbuild-clean flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-createchroot b/profiles/apparmor.d/sbuild-createchroot index 85ffa3ed6..860b933a7 100644 --- a/profiles/apparmor.d/sbuild-createchroot +++ b/profiles/apparmor.d/sbuild-createchroot @@ -6,8 +6,9 @@ include profile sbuild-createchroot /usr/bin/sbuild-createchroot flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-destroychroot b/profiles/apparmor.d/sbuild-destroychroot index 7232c2ce6..b70624b51 100644 --- a/profiles/apparmor.d/sbuild-destroychroot +++ b/profiles/apparmor.d/sbuild-destroychroot @@ -6,8 +6,9 @@ include profile sbuild-destroychroot /usr/sbin/sbuild-destroychroot flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-distupgrade b/profiles/apparmor.d/sbuild-distupgrade index 8df44146f..ead850645 100644 --- a/profiles/apparmor.d/sbuild-distupgrade +++ b/profiles/apparmor.d/sbuild-distupgrade @@ -6,8 +6,9 @@ include profile sbuild-distupgrade /usr/bin/sbuild-distupgrade flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-hold b/profiles/apparmor.d/sbuild-hold index 0a07994ec..70b611907 100644 --- a/profiles/apparmor.d/sbuild-hold +++ b/profiles/apparmor.d/sbuild-hold @@ -6,8 +6,9 @@ include profile sbuild-hold /usr/bin/sbuild-hold flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-shell b/profiles/apparmor.d/sbuild-shell index d93b70e6d..72901516e 100644 --- a/profiles/apparmor.d/sbuild-shell +++ b/profiles/apparmor.d/sbuild-shell @@ -6,8 +6,9 @@ include profile sbuild-shell /usr/bin/sbuild-shell flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-unhold b/profiles/apparmor.d/sbuild-unhold index 13c009633..53f06f4c0 100644 --- a/profiles/apparmor.d/sbuild-unhold +++ b/profiles/apparmor.d/sbuild-unhold @@ -6,8 +6,9 @@ include profile sbuild-unhold /usr/bin/sbuild-unhold flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-update b/profiles/apparmor.d/sbuild-update index 764c11e26..eadb87fb3 100644 --- a/profiles/apparmor.d/sbuild-update +++ b/profiles/apparmor.d/sbuild-update @@ -6,8 +6,9 @@ include profile sbuild-update /usr/bin/sbuild-update flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/sbuild-upgrade b/profiles/apparmor.d/sbuild-upgrade index 3ee9d328a..34a01e12c 100644 --- a/profiles/apparmor.d/sbuild-upgrade +++ b/profiles/apparmor.d/sbuild-upgrade @@ -6,8 +6,9 @@ include profile sbuild-upgrade /usr/bin/sbuild-upgrade flags=(attach_disconnected mediate_deleted) { allow all, + @{exec_path} mrix, - # override default pix + # override default pix, assumes allow all ix is at a lower priority /usr/bin/unshare ix, userns, diff --git a/profiles/apparmor.d/scide b/profiles/apparmor.d/scide index 4cbde8bfb..7e65d5f8e 100644 --- a/profiles/apparmor.d/scide +++ b/profiles/apparmor.d/scide @@ -7,6 +7,7 @@ include #supercollider-ide profile scide /usr/bin/scide flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/signal-desktop b/profiles/apparmor.d/signal-desktop index 05738b995..d3e284c71 100644 --- a/profiles/apparmor.d/signal-desktop +++ b/profiles/apparmor.d/signal-desktop @@ -6,6 +6,7 @@ include profile signal-desktop /opt/Signal/signal-desktop flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/slack b/profiles/apparmor.d/slack index 158b3d3c7..bacb1abbd 100644 --- a/profiles/apparmor.d/slack +++ b/profiles/apparmor.d/slack @@ -6,6 +6,7 @@ include profile slack /usr/lib/slack/slack flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/slirp4netns b/profiles/apparmor.d/slirp4netns index 014819edc..bc975785a 100644 --- a/profiles/apparmor.d/slirp4netns +++ b/profiles/apparmor.d/slirp4netns @@ -6,6 +6,7 @@ include profile slirp4netns /usr/bin/slirp4netns flags=(unconfined) { userns, + @{exec_path} mrix, # pivot_root is required for running `slirp4netns --enable-sandbox` inside LXD. # https://github.com/rootless-containers/slirp4netns/issues/348 diff --git a/profiles/apparmor.d/steam b/profiles/apparmor.d/steam index ebd06f71d..12360b9b6 100644 --- a/profiles/apparmor.d/steam +++ b/profiles/apparmor.d/steam @@ -6,6 +6,7 @@ include profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/stress-ng b/profiles/apparmor.d/stress-ng index 314b81563..653a98550 100644 --- a/profiles/apparmor.d/stress-ng +++ b/profiles/apparmor.d/stress-ng @@ -6,6 +6,7 @@ include profile stress-ng /usr/bin/stress-ng flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/surfshark b/profiles/apparmor.d/surfshark index adbd896d5..02717a1dd 100644 --- a/profiles/apparmor.d/surfshark +++ b/profiles/apparmor.d/surfshark @@ -6,6 +6,7 @@ include profile surfshark /opt/Surfshark/surfshark flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/systemd-coredump b/profiles/apparmor.d/systemd-coredump index 5b89dcd08..2f7e366dd 100644 --- a/profiles/apparmor.d/systemd-coredump +++ b/profiles/apparmor.d/systemd-coredump @@ -6,6 +6,7 @@ include profile systemd-coredump /usr/lib/systemd/systemd-coredump flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/tar b/profiles/apparmor.d/tar index 91b31237d..5ea57a4ca 100644 --- a/profiles/apparmor.d/tar +++ b/profiles/apparmor.d/tar @@ -25,6 +25,7 @@ profile tar /usr/bin/tar { file rwl /**, # tar can be made to filter archives through an arbitrary program + @{exec_path} mr, /{usr{/local,},}/{bin,sbin}/* ix, /opt/** ix, diff --git a/profiles/apparmor.d/thunderbird b/profiles/apparmor.d/thunderbird index 060eb24da..de985e08e 100644 --- a/profiles/apparmor.d/thunderbird +++ b/profiles/apparmor.d/thunderbird @@ -6,6 +6,7 @@ include profile thunderbird /usr/bin/thunderbird flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/tinyproxy b/profiles/apparmor.d/tinyproxy index 4a615779b..3a62e3b16 100644 --- a/profiles/apparmor.d/tinyproxy +++ b/profiles/apparmor.d/tinyproxy @@ -30,7 +30,7 @@ profile tinyproxy /usr/bin/tinyproxy { # allow this as well capability net_bind_service, - file mr /usr/bin/tinyproxy, + mr @{exec_path}, file r @{etc_ro}/tinyproxy/tinyproxy.conf, # tinyproxy.conf allows to configure the locations of various files that will diff --git a/profiles/apparmor.d/trinity b/profiles/apparmor.d/trinity index 41e2346ad..0c1059dbd 100644 --- a/profiles/apparmor.d/trinity +++ b/profiles/apparmor.d/trinity @@ -6,6 +6,7 @@ include profile trinity /usr/bin/trinity flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/tshark b/profiles/apparmor.d/tshark index a249914d4..85f0cc693 100644 --- a/profiles/apparmor.d/tshark +++ b/profiles/apparmor.d/tshark @@ -23,7 +23,7 @@ profile tshark /usr/bin/tshark { signal send peer=tshark//dumpcap, file Cx /usr/bin/dumpcap -> dumpcap, - file mr /usr/bin/tshark, + mr @{exec_path}, file mrix /usr/lib/@{multiarch}/wireshark/extcap/{,*}, file r /usr/share/wireshark/{,**}, file r @{PROC}/@{pid}/fd/, diff --git a/profiles/apparmor.d/tup b/profiles/apparmor.d/tup index 482a0d326..7ec6899de 100644 --- a/profiles/apparmor.d/tup +++ b/profiles/apparmor.d/tup @@ -6,6 +6,7 @@ include profile tup /usr/bin/tup flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/tuxedo-control-center b/profiles/apparmor.d/tuxedo-control-center index d64c762af..0bd0f6216 100644 --- a/profiles/apparmor.d/tuxedo-control-center +++ b/profiles/apparmor.d/tuxedo-control-center @@ -6,6 +6,7 @@ include profile tuxedo-control-center /opt/tuxedo-control-center/tuxedo-control-center flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/unix-chkpwd b/profiles/apparmor.d/unix-chkpwd index a8ec8d43f..fc69f1df8 100644 --- a/profiles/apparmor.d/unix-chkpwd +++ b/profiles/apparmor.d/unix-chkpwd @@ -20,7 +20,7 @@ profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd { network netlink raw, - /{,usr/}{,s}bin/unix_chkpwd mr, + @{exec_path} mr, /etc/shadow r, diff --git a/profiles/apparmor.d/userbindmount b/profiles/apparmor.d/userbindmount index 406f494c7..004c2cea6 100644 --- a/profiles/apparmor.d/userbindmount +++ b/profiles/apparmor.d/userbindmount @@ -6,6 +6,7 @@ include profile userbindmount /usr/bin/userbindmount flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.bin.hwctl b/profiles/apparmor.d/usr.bin.hwctl index 8a7586954..6fae491bd 100644 --- a/profiles/apparmor.d/usr.bin.hwctl +++ b/profiles/apparmor.d/usr.bin.hwctl @@ -24,6 +24,8 @@ profile hwctl /usr/bin/hwctl { network inet6 stream, network netlink raw, + @{exec_path} mr, + /sys/firmware/dmi/tables/* r, # for collecting SMBIOS info /sys/devices/system/cpu/cpufreq/policy*/cpuinfo_max_freq r, /sys/fs/cgroup/**/cpu.max r, @@ -38,14 +40,14 @@ profile hwctl /usr/bin/hwctl { profile dpkg /usr/bin/dpkg { include - /usr/bin/dpkg r, + @{exec_path} r, /etc/dpkg/** r, } profile kmod /usr/bin/kmod { include - /usr/bin/kmod r, + @{exec_path} r, @{PROC}/{cmdline,modules} r, @{sys}/module/** r, # for fetching kernel modules } diff --git a/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 b/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 index fdc1f40e5..f96f79ca2 100644 --- a/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 +++ b/profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 @@ -53,6 +53,7 @@ include / rw, /** mrwlkix, + @{exec_path} mr, ^DEFAULT_URI { diff --git a/profiles/apparmor.d/usr.lib.dovecot.anvil b/profiles/apparmor.d/usr.lib.dovecot.anvil index 852a647bf..6e867cf38 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.anvil +++ b/profiles/apparmor.d/usr.lib.dovecot.anvil @@ -24,7 +24,7 @@ profile dovecot-anvil /usr/lib*/dovecot/anvil { @{run}/dovecot/anvil rw, @{run}/dovecot/anvil-auth-penalty rw, - /usr/lib*/dovecot/anvil mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth index 06277c448..98534d154 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.auth +++ b/profiles/apparmor.d/usr.lib.dovecot.auth @@ -33,7 +33,7 @@ profile dovecot-auth /usr/lib*/dovecot/auth { /etc/my.cnf.d/*.cnf r, /etc/dovecot/* r, - /usr/lib*/dovecot/auth mr, + @{exec_path} mr, /var/lib/dovecot/auth-chroot/* r, # kerberos replay cache diff --git a/profiles/apparmor.d/usr.lib.dovecot.config b/profiles/apparmor.d/usr.lib.dovecot.config index e14a58fb8..c0ae6a58f 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.config +++ b/profiles/apparmor.d/usr.lib.dovecot.config @@ -24,7 +24,7 @@ profile dovecot-config /usr/lib*/dovecot/config { /etc/dovecot/** r, /usr/bin/doveconf rix, - /usr/lib*/dovecot/config mr, + @{exec_path} mr, /usr/lib*/dovecot/managesieve Px, /usr/share/dovecot/** r, /var/lib/dovecot/ssl-parameters.dat r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.deliver b/profiles/apparmor.d/usr.lib.dovecot.deliver index d458e0533..81dc0565c 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.deliver +++ b/profiles/apparmor.d/usr.lib.dovecot.deliver @@ -32,7 +32,7 @@ profile dovecot-deliver /usr/lib*/dovecot/deliver { /etc/dovecot/dovecot-postfix.conf r, # ??? @{HOME} r, # ??? - /usr/lib*/dovecot/deliver mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.dict b/profiles/apparmor.d/usr.lib.dovecot.dict index 735160b58..ba2722b07 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dict +++ b/profiles/apparmor.d/usr.lib.dovecot.dict @@ -26,7 +26,7 @@ profile dovecot-dict /usr/lib*/dovecot/dict { /etc/dovecot/dovecot-database.conf.ext r, /etc/dovecot/dovecot-dict-sql.conf.ext r, /etc/my.cnf r, - /usr/lib*/dovecot/dict mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.director b/profiles/apparmor.d/usr.lib.dovecot.director index b290b89d9..50f590131 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.director +++ b/profiles/apparmor.d/usr.lib.dovecot.director @@ -22,7 +22,7 @@ profile dovecot-director /usr/lib*/dovecot/director flags=(attach_disconnected) capability sys_chroot, /run/dovecot/login/proxy-notify rw, - /usr/lib*/dovecot/director mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.doveadm-server b/profiles/apparmor.d/usr.lib.dovecot.doveadm-server index f6e4edc56..72d146050 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.doveadm-server +++ b/profiles/apparmor.d/usr.lib.dovecot.doveadm-server @@ -17,7 +17,7 @@ profile dovecot-doveadm-server /usr/lib*/dovecot/doveadm-server flags=(attach_di include include - /usr/lib*/dovecot/doveadm-server mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth index b832532bc..f38d2af52 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-auth @@ -25,7 +25,7 @@ profile dovecot-dovecot-auth /usr/lib*/dovecot/dovecot-auth { capability dac_override, @{PROC}/@{pid}/mounts r, - /usr/lib*/dovecot/dovecot-auth mr, + @{exec_path} mr, @{run}/dovecot/** rw, # required for postfix+dovecot integration /var/spool/postfix/private/dovecot-auth w, diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda index 047b947de..b192b88fd 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda +++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda @@ -30,7 +30,7 @@ profile dovecot-dovecot-lda /usr/lib*/dovecot/dovecot-lda flags=(attach_disconne @{run}/dovecot/mounts r, @{run}/dovecot/auth-userdb rw, /usr/bin/doveconf mrix, - /usr/lib*/dovecot/dovecot-lda mrix, + @{exec_path} mrix, /usr/{bin,sbin}/sendmail Cx -> sendmail, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap b/profiles/apparmor.d/usr.lib.dovecot.imap index 07d70e0d8..33d02912b 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.imap +++ b/profiles/apparmor.d/usr.lib.dovecot.imap @@ -37,7 +37,7 @@ profile dovecot-imap /usr/lib*/dovecot/imap { @{PROC}/@{pid}/attr/{apparmor/,}current rw, @{PROC}/@{pid}/stat r, /usr/bin/doveconf rix, - /usr/lib*/dovecot/imap mrix, + @{exec_path} mrix, /usr/share/dovecot/** r, @{run}/dovecot/login/imap rw, @{run}/dovecot/auth-master rw, diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap-login b/profiles/apparmor.d/usr.lib.dovecot.imap-login index 7d6d9432c..a7481d698 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.imap-login +++ b/profiles/apparmor.d/usr.lib.dovecot.imap-login @@ -25,7 +25,7 @@ profile dovecot-imap-login /usr/lib*/dovecot/imap-login { network inet6 stream, network unix stream, - /usr/lib*/dovecot/imap-login mr, + @{exec_path} mr, @{run}/dovecot/anvil rw, @{run}/dovecot/login-master-notify* rw, @{run}/dovecot/login/ r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.lmtp b/profiles/apparmor.d/usr.lib.dovecot.lmtp index 075a81704..27488c039 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.lmtp +++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp @@ -34,7 +34,7 @@ profile dovecot-lmtp /usr/lib*/dovecot/lmtp { owner @{PROC}/@{pid}/stat r, @{PROC}/*/mounts r, /tmp/dovecot.lmtp.* rw, - /usr/lib*/dovecot/lmtp mr, + @{exec_path} mr, @{run}/dovecot/mounts r, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor.d/usr.lib.dovecot.log b/profiles/apparmor.d/usr.lib.dovecot.log index bce2302e1..a92067ffc 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.log +++ b/profiles/apparmor.d/usr.lib.dovecot.log @@ -17,7 +17,7 @@ profile dovecot-log /usr/lib*/dovecot/log flags=(attach_disconnected) { include include - /usr/lib*/dovecot/log mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.managesieve b/profiles/apparmor.d/usr.lib.dovecot.managesieve index 489fd1e34..c1346a665 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.managesieve +++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve @@ -29,7 +29,7 @@ profile dovecot-managesieve /usr/lib*/dovecot/managesieve { /etc/dovecot/** r, /usr/bin/doveconf rix, - /usr/lib*/dovecot/managesieve mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login index 80393926d..aab19ab95 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.managesieve-login +++ b/profiles/apparmor.d/usr.lib.dovecot.managesieve-login @@ -27,7 +27,7 @@ profile dovecot-managesieve-login /usr/lib*/dovecot/managesieve-login { network inet6 stream, network unix stream, - /usr/lib*/dovecot/managesieve-login mr, + @{exec_path} mr, @{run}/dovecot/login-master-notify* rw, @{run}/dovecot/login/ r, @{run}/dovecot/login/* rw, diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3 b/profiles/apparmor.d/usr.lib.dovecot.pop3 index b46db8cf4..cd32fb2c2 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.pop3 +++ b/profiles/apparmor.d/usr.lib.dovecot.pop3 @@ -27,8 +27,8 @@ profile dovecot-pop3 /usr/lib*/dovecot/pop3 { @{HOME} r, # ??? @{PROC}/@{pid}/stat r, - /usr/lib*/dovecot/pop3 mr, - + @{exec_path} mr, + # Site-specific additions and overrides. See local/README for details. include if exists } diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3-login b/profiles/apparmor.d/usr.lib.dovecot.pop3-login index 348a16769..7125a93f0 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.pop3-login +++ b/profiles/apparmor.d/usr.lib.dovecot.pop3-login @@ -25,7 +25,7 @@ profile dovecot-pop3-login /usr/lib*/dovecot/pop3-login { network inet6 stream, network unix stream, - /usr/lib*/dovecot/pop3-login mr, + @{exec_path} mr, @{run}/dovecot/anvil rw, @{run}/dovecot/login-master-notify* rw, @{run}/dovecot/login/ r, diff --git a/profiles/apparmor.d/usr.lib.dovecot.replicator b/profiles/apparmor.d/usr.lib.dovecot.replicator index b133e40a9..ba396f1d4 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.replicator +++ b/profiles/apparmor.d/usr.lib.dovecot.replicator @@ -27,7 +27,7 @@ profile dovecot-replicator /usr/lib*/dovecot/replicator { /etc/dovecot/conf.d/ r, /etc/dovecot/conf.d/** r, /etc/dovecot/dovecot.conf r, - /usr/lib*/dovecot/replicator mr, + @{exec_path} mr, /usr/share/dovecot/** r, /{,var/}run/dovecot/auth-master rw, @{DOVECOT_MAILSTORE}/ rw, diff --git a/profiles/apparmor.d/usr.lib.dovecot.script-login b/profiles/apparmor.d/usr.lib.dovecot.script-login index fed1baae6..5f72948d1 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.script-login +++ b/profiles/apparmor.d/usr.lib.dovecot.script-login @@ -21,7 +21,7 @@ profile dovecot-script-login /usr/lib*/dovecot/script-login { capability setuid, - /usr/lib*/dovecot/script-login mrPx, + @{exec_path} mrPx, # NOTE: You'll need to allow execution of your actual login script. # The recommended way is to add a rule for it in local/usr.lib.dovecot.script-login diff --git a/profiles/apparmor.d/usr.lib.dovecot.ssl-params b/profiles/apparmor.d/usr.lib.dovecot.ssl-params index 5f525238b..8a9cf4b7e 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.ssl-params +++ b/profiles/apparmor.d/usr.lib.dovecot.ssl-params @@ -19,7 +19,7 @@ profile dovecot-ssl-params /usr/lib*/dovecot/ssl-params { @{run}/dovecot/ssl-params rw, @{run}/dovecot/login/ssl-params rw, - /usr/lib*/dovecot/ssl-params mr, + @{exec_path} mr, /var/lib/dovecot/ssl-parameters.dat rw, /var/lib/dovecot/ssl-parameters.dat.tmp rwk, diff --git a/profiles/apparmor.d/usr.lib.dovecot.stats b/profiles/apparmor.d/usr.lib.dovecot.stats index 4c30994ab..88c6469de 100644 --- a/profiles/apparmor.d/usr.lib.dovecot.stats +++ b/profiles/apparmor.d/usr.lib.dovecot.stats @@ -24,7 +24,7 @@ profile dovecot-stats /usr/lib*/dovecot/stats { network inet stream, network inet6 stream, - /usr/lib*/dovecot/stats mr, + @{exec_path} mr, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/usr.sbin.apache2 b/profiles/apparmor.d/usr.sbin.apache2 index 17841715c..508f8205e 100644 --- a/profiles/apparmor.d/usr.sbin.apache2 +++ b/profiles/apparmor.d/usr.sbin.apache2 @@ -84,6 +84,7 @@ profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) { / rw, /** mrwlkix, + @{exec_path} mrix, ^DEFAULT_URI flags=(attach_disconnected) { diff --git a/profiles/apparmor.d/usr.sbin.avahi-daemon b/profiles/apparmor.d/usr.sbin.avahi-daemon index fe713efde..85986c0ca 100644 --- a/profiles/apparmor.d/usr.sbin.avahi-daemon +++ b/profiles/apparmor.d/usr.sbin.avahi-daemon @@ -25,7 +25,7 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(attach_disconnected) { @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - /usr/{bin,sbin}/avahi-daemon mr, + @{exec_path} mr, /usr/share/avahi/introspection/*.introspect r, /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r, @{run}/avahi-daemon/ w, diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq index f0cc01373..3aaf75e64 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -51,7 +51,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { /etc/dnsmasq-conf.conf r, /etc/dnsmasq-resolv.conf r, - /usr/{bin,sbin}/dnsmasq mr, + @{exec_path} mr, /var/log/dnsmasq*.log w, diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot index 4c93b4406..246a43b59 100644 --- a/profiles/apparmor.d/usr.sbin.dovecot +++ b/profiles/apparmor.d/usr.sbin.dovecot @@ -67,7 +67,7 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) { /usr/lib*/dovecot/ssl-build-param rix, /usr/lib*/dovecot/ssl-params mrPx, /usr/lib*/dovecot/stats Px, - /usr/{bin,sbin}/dovecot mrix, + @{exec_path} mrix, /usr/share/dovecot/dh.pem r, /usr/share/dovecot/protocols.d/ r, /usr/share/dovecot/protocols.d/** r, diff --git a/profiles/apparmor.d/usr.sbin.identd b/profiles/apparmor.d/usr.sbin.identd index f4f7d580c..ab0467aef 100644 --- a/profiles/apparmor.d/usr.sbin.identd +++ b/profiles/apparmor.d/usr.sbin.identd @@ -23,7 +23,7 @@ profile identd /usr/{bin,sbin}/identd { /etc/identd.conf r, /etc/identd.key r, /etc/identd.pid w, - /usr/{bin,sbin}/identd rmix, + @{exec_path} mrix, @{PROC}/net/tcp r, @{PROC}/net/tcp6 r, @{run}/identd.pid w, diff --git a/profiles/apparmor.d/usr.sbin.mdnsd b/profiles/apparmor.d/usr.sbin.mdnsd index ff093bb71..8c2f75831 100644 --- a/profiles/apparmor.d/usr.sbin.mdnsd +++ b/profiles/apparmor.d/usr.sbin.mdnsd @@ -26,7 +26,7 @@ profile mdnsd /usr/{bin,sbin}/mdnsd { network netlink dgram, - /usr/{bin,sbin}/mdnsd rmix, + @{exec_path} mrix, @{PROC}/net/ r, @{PROC}/net/unix r, diff --git a/profiles/apparmor.d/usr.sbin.nmbd b/profiles/apparmor.d/usr.sbin.nmbd index cee04e7e2..02efceebf 100644 --- a/profiles/apparmor.d/usr.sbin.nmbd +++ b/profiles/apparmor.d/usr.sbin.nmbd @@ -12,7 +12,7 @@ profile nmbd /usr/{bin,sbin}/nmbd { @{PROC}/sys/kernel/core_pattern r, - /usr/{bin,sbin}/nmbd mr, + @{exec_path} mr, /var/{cache,lib}/samba/browse.dat* rw, /var/{cache,lib}/samba/gencache.dat rw, diff --git a/profiles/apparmor.d/usr.sbin.nscd b/profiles/apparmor.d/usr.sbin.nscd index 34aa13fc6..35f9db4d3 100644 --- a/profiles/apparmor.d/usr.sbin.nscd +++ b/profiles/apparmor.d/usr.sbin.nscd @@ -26,7 +26,7 @@ profile nscd /usr/{bin,sbin}/nscd { /etc/machine-id r, /etc/netgroup r, /etc/nscd.conf r, - /usr/{bin,sbin}/nscd rmix, + @{exec_path} mrix, @{run}/.nscd_socket wl, @{run}/nscd/ rw, @{run}/nscd/db* rwl, diff --git a/profiles/apparmor.d/usr.sbin.ntpd b/profiles/apparmor.d/usr.sbin.ntpd index 774038a73..da2006e30 100644 --- a/profiles/apparmor.d/usr.sbin.ntpd +++ b/profiles/apparmor.d/usr.sbin.ntpd @@ -42,7 +42,7 @@ profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) { /tmp/ntp* rwl, /{usr/,usr/local/,}{s,}bin/ r, - /usr/{bin,sbin}/{,open}ntpd rmix, + @{exec_path} mrix, /var/db/ r, /var/db/ntpd.drift rwl, /var/lib/ntp/drift rwl, diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd index 149743eed..6bee4eb55 100644 --- a/profiles/apparmor.d/usr.sbin.smbd +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -45,7 +45,7 @@ profile smbd /usr/{bin,sbin}/smbd { /usr/lib/@{multiarch}/samba/**/ r, /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr, /usr/share/samba/** r, - /usr/{bin,sbin}/smbd mr, + @{exec_path} mr, /usr/{bin,sbin}/smbldap-useradd Px, /var/cache/samba/** rwk, /var/{cache,lib}/samba/printing/printers.tdb mrw, diff --git a/profiles/apparmor.d/usr.sbin.smbldap-useradd b/profiles/apparmor.d/usr.sbin.smbldap-useradd index 395656210..285280360 100644 --- a/profiles/apparmor.d/usr.sbin.smbldap-useradd +++ b/profiles/apparmor.d/usr.sbin.smbldap-useradd @@ -16,7 +16,7 @@ profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd { /etc/shadow r, /etc/smbldap-tools/smbldap.conf r, /etc/smbldap-tools/smbldap_bind.conf r, - /usr/{bin,sbin}/smbldap-useradd r, + @{exec_path} r, /usr/{bin,sbin}/smbldap_tools.pm r, /var/log/samba/log.smbd w, diff --git a/profiles/apparmor.d/usr.sbin.traceroute b/profiles/apparmor.d/usr.sbin.traceroute index d3c885b29..65bee4174 100644 --- a/profiles/apparmor.d/usr.sbin.traceroute +++ b/profiles/apparmor.d/usr.sbin.traceroute @@ -23,7 +23,7 @@ profile traceroute /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/tracerou network inet raw, network inet6 raw, - /usr/{{bin,sbin}/traceroute,bin/linux-traceroute,bin/traceroute.db} mrix, + @{exec_path} mrix, @{PROC}/net/route r, @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r, diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd index 9283dfa15..b8f0dbe59 100644 --- a/profiles/apparmor.d/usr.sbin.winbindd +++ b/profiles/apparmor.d/usr.sbin.winbindd @@ -28,7 +28,7 @@ profile winbindd /usr/{bin,sbin}/winbindd { /usr/lib*/samba/nss_info/*.so mr, /usr/lib*/samba/pdb/*.so mr, /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd, - /usr/{bin,sbin}/winbindd mr, + @{exec_path} mr, /var/cache/krb5rcache/* rwk, /var/lib/sss/pubconf/kdcinfo.* r, /var/log/samba/log.winbindd rw, diff --git a/profiles/apparmor.d/uwsgi-core b/profiles/apparmor.d/uwsgi-core index 0ffcca5f8..a4d865e7b 100644 --- a/profiles/apparmor.d/uwsgi-core +++ b/profiles/apparmor.d/uwsgi-core @@ -6,6 +6,7 @@ include profile uwsgi-core /usr/bin/uwsgi-core flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/vdens b/profiles/apparmor.d/vdens index 643b29547..6eb750d64 100644 --- a/profiles/apparmor.d/vdens +++ b/profiles/apparmor.d/vdens @@ -6,6 +6,7 @@ include profile vdens /usr/bin/vdens flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/virtiofsd b/profiles/apparmor.d/virtiofsd index 380a840de..e4567b7d8 100644 --- a/profiles/apparmor.d/virtiofsd +++ b/profiles/apparmor.d/virtiofsd @@ -6,6 +6,7 @@ include profile virtiofsd /usr/libexec/virtiofsd flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/vivaldi-bin b/profiles/apparmor.d/vivaldi-bin index 200c567dd..913c2fd0d 100644 --- a/profiles/apparmor.d/vivaldi-bin +++ b/profiles/apparmor.d/vivaldi-bin @@ -6,6 +6,7 @@ include profile vivaldi-bin /opt/vivaldi/vivaldi-bin flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/vpnns b/profiles/apparmor.d/vpnns index 8fea23718..53f228a51 100644 --- a/profiles/apparmor.d/vpnns +++ b/profiles/apparmor.d/vpnns @@ -6,6 +6,7 @@ include profile vpnns /usr/bin/vpnns flags=(unconfined) { userns, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/wg b/profiles/apparmor.d/wg index 00c40a53d..9a26a6a94 100644 --- a/profiles/apparmor.d/wg +++ b/profiles/apparmor.d/wg @@ -27,7 +27,7 @@ profile wg /usr/bin/wg flags=(attach_disconnected){ # wireguard configuration and key files file rw @{etc_rw}/wireguard/{,**}, - file mr /usr/bin/wg, + mr @{exec_path}, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/wg-quick b/profiles/apparmor.d/wg-quick index 629409f60..fe9ec84c5 100644 --- a/profiles/apparmor.d/wg-quick +++ b/profiles/apparmor.d/wg-quick @@ -104,7 +104,7 @@ profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) { file rw @{etc_rw}/wireguard/{,**}, # Allow executable mapping and read for the binary - file mr /usr/bin/wg-quick, + file mr @{exec_path}, # Process-specific access file r @{PROC}/@{pid}/net/ip_tables_names, diff --git a/profiles/apparmor.d/wike b/profiles/apparmor.d/wike index 5abb25399..34a115c17 100644 --- a/profiles/apparmor.d/wike +++ b/profiles/apparmor.d/wike @@ -6,6 +6,7 @@ include profile wike /usr/bin/wike flags=(unconfined) { userns, + mr @{exec_path}, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor.d/wpcom b/profiles/apparmor.d/wpcom index 301f37b80..478113657 100644 --- a/profiles/apparmor.d/wpcom +++ b/profiles/apparmor.d/wpcom @@ -6,6 +6,7 @@ include profile wpcom /opt/WordPress.com/wpcom flags=(unconfined) { userns, + mr @{exec_path}, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/bin.netstat b/profiles/apparmor/profiles/extras/bin.netstat index 614879cdb..7f5151007 100644 --- a/profiles/apparmor/profiles/extras/bin.netstat +++ b/profiles/apparmor/profiles/extras/bin.netstat @@ -28,7 +28,8 @@ profile netstat /{usr/,}bin/netstat { ptrace (read), - /{usr/,}bin/netstat rmix, + @{exec_path} mr, + /etc/networks r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/profiles/apparmor/profiles/extras/chromium_browser b/profiles/apparmor/profiles/extras/chromium_browser index 532d9366b..b66582e18 100644 --- a/profiles/apparmor/profiles/extras/chromium_browser +++ b/profiles/apparmor/profiles/extras/chromium_browser @@ -256,7 +256,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne owner @{HOME}/.config/chromium/WidevineCdm/*/_platform_specific/*/libwidevinecdm.so mr, # Allow transitions to ourself, our sandbox, and crash handler - /usr/lib/@{chromium}/@{chromium} ix, + @{exec_path} mrix, /usr/lib/@{chromium}/chrome-sandbox cx -> sandbox, /usr/lib/@{chromium}/chrome_crashpad_handler Cxr -> crashpad_handler, diff --git a/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate b/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate index e83d61f78..ed1a0241a 100644 --- a/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate +++ b/profiles/apparmor/profiles/extras/etc.cron.daily.logrotate @@ -39,7 +39,7 @@ include /usr/bin/head mrix, /usr/bin/killall mixr, /usr/sbin/invoke-rc.d mrix, - /usr/sbin/logrotate mixr, + @{exec_path} mrix, ## see https://lists.ubuntu.com/archives/apparmor/2016-December/010359.html /{usr/,}sbin/initctl Ux, diff --git a/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron b/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron index 0131fbb30..c3ef83464 100644 --- a/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron +++ b/profiles/apparmor/profiles/extras/etc.cron.daily.slocate.cron @@ -20,7 +20,7 @@ include include /{usr/,}bin/bash mixr, /dev/tty wr , - /etc/cron.daily/slocate.cron r , + @{exec_path} r, /etc/mtab r , /usr/bin/slocate mixr, /usr/bin/renice mixr, diff --git a/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch b/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch index 833c0cca5..1a558ea5a 100644 --- a/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch +++ b/profiles/apparmor/profiles/extras/etc.cron.daily.tmpwatch @@ -14,7 +14,7 @@ include /etc/cron.daily/tmpwatch { include - /etc/cron.daily/tmpwatch r, + @{exec_path} r, /tmp r, /tmp/** rwl, /usr/sbin/tmpwatch mixr, diff --git a/profiles/apparmor/profiles/extras/firefox.sh b/profiles/apparmor/profiles/extras/firefox.sh index bb7efa836..7ddd52b20 100644 --- a/profiles/apparmor/profiles/extras/firefox.sh +++ b/profiles/apparmor/profiles/extras/firefox.sh @@ -11,7 +11,7 @@ profile firefox.sh /usr/lib/firefox/firefox.sh { deny capability sys_ptrace, - /usr/lib/firefox/firefox.sh mr, + @{exec_path} r, /{usr/,}bin/basename rix, /{usr/,}bin/bash rix, diff --git a/profiles/apparmor/profiles/extras/postfix-anvil b/profiles/apparmor/profiles/extras/postfix-anvil index e29127b27..aca9da3f7 100644 --- a/profiles/apparmor/profiles/extras/postfix-anvil +++ b/profiles/apparmor/profiles/extras/postfix-anvil @@ -18,7 +18,7 @@ profile postfix-anvil /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil mrix, + @{exec_path} mrix, /etc/postfix/main.cf r, /{var/spool/postfix/,}private/anvil rw, diff --git a/profiles/apparmor/profiles/extras/postfix-bounce b/profiles/apparmor/profiles/extras/postfix-bounce index 93cda1f0d..b60a18187 100644 --- a/profiles/apparmor/profiles/extras/postfix-bounce +++ b/profiles/apparmor/profiles/extras/postfix-bounce @@ -19,7 +19,7 @@ profile postfix-bounce /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwkl, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-cleanup b/profiles/apparmor/profiles/extras/postfix-cleanup index ac802ef29..c7d313099 100644 --- a/profiles/apparmor/profiles/extras/postfix-cleanup +++ b/profiles/apparmor/profiles/extras/postfix-cleanup @@ -22,7 +22,7 @@ profile postfix-cleanup /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup { capability net_bind_service, capability dac_read_search, - /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup mrix, + @{exec_path} mrix, /{var/spool/postfix/,}incoming/[0-9]*.[0-9]* rwl, /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-discard b/profiles/apparmor/profiles/extras/postfix-discard index 8899f4e5a..bfd74aca7 100644 --- a/profiles/apparmor/profiles/extras/postfix-discard +++ b/profiles/apparmor/profiles/extras/postfix-discard @@ -17,7 +17,7 @@ include profile postfix-discard /usr/lib{,exec}/postfix/{bin/,sbin/,}discard { include - /usr/lib{,exec}/postfix/{bin/,sbin/,}discard mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-dnsblog b/profiles/apparmor/profiles/extras/postfix-dnsblog index a889dc3f2..4992544b3 100644 --- a/profiles/apparmor/profiles/extras/postfix-dnsblog +++ b/profiles/apparmor/profiles/extras/postfix-dnsblog @@ -16,7 +16,7 @@ include profile postfix-dnsblog /usr/lib{,exec}/postfix/{bin/,sbin/,}dnsblog { include - /usr/lib{,exec}/postfix/{bin/,sbin/,}dnsblog mrix, + @{exec_path} mrix, /var/spool/postfix/private/dnsblog rw, diff --git a/profiles/apparmor/profiles/extras/postfix-error b/profiles/apparmor/profiles/extras/postfix-error index 609a23b3a..33b59188e 100644 --- a/profiles/apparmor/profiles/extras/postfix-error +++ b/profiles/apparmor/profiles/extras/postfix-error @@ -19,7 +19,7 @@ profile postfix-error /usr/lib{,exec}/postfix/{bin/,sbin/,}error { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}error mrix, + @{exec_path} mrix, owner /var/spool/postfix/active/* rwk, /var/spool/postfix/pid/unix.error rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-flush b/profiles/apparmor/profiles/extras/postfix-flush index 6080dc559..61a566f04 100644 --- a/profiles/apparmor/profiles/extras/postfix-flush +++ b/profiles/apparmor/profiles/extras/postfix-flush @@ -19,7 +19,7 @@ profile postfix-flush /usr/lib{,exec}/postfix/{bin/,sbin/,}flush { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}flush mrix, + @{exec_path} mrix, /{var/spool/postfix/,}deferred/ r, /{var/spool/postfix/,}deferred/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-lmtp b/profiles/apparmor/profiles/extras/postfix-lmtp index 0dc6bf949..0b5985057 100644 --- a/profiles/apparmor/profiles/extras/postfix-lmtp +++ b/profiles/apparmor/profiles/extras/postfix-lmtp @@ -19,7 +19,7 @@ profile postfix-lmtp /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp mrix, + @{exec_path} mrix, /var/spool/postfix/active/* rwk, /var/spool/postfix/pid/unix.lmtp rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-local b/profiles/apparmor/profiles/extras/postfix-local index 145961783..d7aab028d 100644 --- a/profiles/apparmor/profiles/extras/postfix-local +++ b/profiles/apparmor/profiles/extras/postfix-local @@ -27,7 +27,7 @@ profile postfix-local /usr/lib{,exec}/postfix/{bin/,sbin/,}local { /var/mailman/mail/wrapper Px, /usr/bin/mlmmj-recieve Px, - /usr/lib{,exec}/postfix/{bin/,sbin/,}local mrix, + @{exec_path} mrix, /{usr/,}bin/bash mixr, /{usr/,}bin/date mixr, diff --git a/profiles/apparmor/profiles/extras/postfix-master b/profiles/apparmor/profiles/extras/postfix-master index 6d8e7856d..127122f1d 100644 --- a/profiles/apparmor/profiles/extras/postfix-master +++ b/profiles/apparmor/profiles/extras/postfix-master @@ -37,6 +37,7 @@ profile postfix-master /usr/lib{,exec}/postfix/{bin/,sbin/,}master { /{var/spool/postfix/,}private/tlsmgr rwl, /{var/spool/postfix/,}public/{cleanup,flush,pickup,postlog,qmgr,showq,tlsmgr} rwl, + @{exec_path} mrix, /usr/lib{,exec}/postfix/{bin/,sbin/,}anvil Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}bounce Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}cleanup Px, @@ -44,7 +45,6 @@ profile postfix-master /usr/lib{,exec}/postfix/{bin/,sbin/,}master { /usr/lib{,exec}/postfix/{bin/,sbin/,}flush Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}local Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}lmtp mrPx, - /usr/lib{,exec}/postfix/{bin/,sbin/,}master mrix, /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap Px, /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup Px, diff --git a/profiles/apparmor/profiles/extras/postfix-nqmgr b/profiles/apparmor/profiles/extras/postfix-nqmgr index e537e1155..1d20ed49f 100644 --- a/profiles/apparmor/profiles/extras/postfix-nqmgr +++ b/profiles/apparmor/profiles/extras/postfix-nqmgr @@ -18,7 +18,7 @@ profile postfix-nqmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}nqmgr mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/ r, diff --git a/profiles/apparmor/profiles/extras/postfix-oqmgr b/profiles/apparmor/profiles/extras/postfix-oqmgr index c13e6149e..f7d870115 100644 --- a/profiles/apparmor/profiles/extras/postfix-oqmgr +++ b/profiles/apparmor/profiles/extras/postfix-oqmgr @@ -19,7 +19,7 @@ profile postfix-oqmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}oqmgr { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}oqmgr mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-pickup b/profiles/apparmor/profiles/extras/postfix-pickup index a0cba743e..fc8de5d48 100644 --- a/profiles/apparmor/profiles/extras/postfix-pickup +++ b/profiles/apparmor/profiles/extras/postfix-pickup @@ -18,7 +18,7 @@ profile postfix-pickup /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}pickup mrix, + @{exec_path} mrix, /{var/spool/postfix/,}public/cleanup rw, /{var/spool/postfix/,}public/pickup r, diff --git a/profiles/apparmor/profiles/extras/postfix-pipe b/profiles/apparmor/profiles/extras/postfix-pipe index dc4944ba1..465ddd214 100644 --- a/profiles/apparmor/profiles/extras/postfix-pipe +++ b/profiles/apparmor/profiles/extras/postfix-pipe @@ -19,7 +19,7 @@ profile postfix-pipe /usr/lib{,exec}/postfix/{bin/,sbin/,}pipe { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}pipe mrix, + @{exec_path} mrix, /var/spool/postfix/active/* rwk, /var/spool/postfix/private/bounce w, diff --git a/profiles/apparmor/profiles/extras/postfix-postscreen b/profiles/apparmor/profiles/extras/postfix-postscreen index b11bd8fc0..0ced312d4 100644 --- a/profiles/apparmor/profiles/extras/postfix-postscreen +++ b/profiles/apparmor/profiles/extras/postfix-postscreen @@ -17,7 +17,7 @@ profile postfix-postscreen /usr/lib{,exec}/postfix/{bin/,sbin/,}postscreen { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}postscreen mrix, + @{exec_path} mrix, owner /var/lib/postfix/{,__db.}postscreen_cache.db rwk, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/postfix-proxymap b/profiles/apparmor/profiles/extras/postfix-proxymap index e41e2f472..7ed149de0 100644 --- a/profiles/apparmor/profiles/extras/postfix-proxymap +++ b/profiles/apparmor/profiles/extras/postfix-proxymap @@ -20,7 +20,7 @@ profile postfix-proxymap /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap { include /etc/my.cnf r, - /usr/lib{,exec}/postfix/{bin/,sbin/,}proxymap mrix, + @{exec_path} mrix, /{var/spool/postfix/,}private/proxymap rw, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/postfix-qmgr b/profiles/apparmor/profiles/extras/postfix-qmgr index 336200409..f304e1e55 100644 --- a/profiles/apparmor/profiles/extras/postfix-qmgr +++ b/profiles/apparmor/profiles/extras/postfix-qmgr @@ -18,7 +18,7 @@ profile postfix-qmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}qmgr { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}qmgr mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-qmqpd b/profiles/apparmor/profiles/extras/postfix-qmqpd index 6b9ef9258..9f6702c02 100644 --- a/profiles/apparmor/profiles/extras/postfix-qmqpd +++ b/profiles/apparmor/profiles/extras/postfix-qmqpd @@ -18,7 +18,7 @@ profile postfix-qmqpd /usr/lib{,exec}/postfix/{bin/,sbin/,}qmqpd { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}qmqpd mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-scache b/profiles/apparmor/profiles/extras/postfix-scache index 3cf62011f..519d3b342 100644 --- a/profiles/apparmor/profiles/extras/postfix-scache +++ b/profiles/apparmor/profiles/extras/postfix-scache @@ -20,7 +20,7 @@ profile postfix-scache /usr/lib{,exec}/postfix/{bin/,sbin/,}scache { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}scache mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-showq b/profiles/apparmor/profiles/extras/postfix-showq index bcfddd435..335c82af3 100644 --- a/profiles/apparmor/profiles/extras/postfix-showq +++ b/profiles/apparmor/profiles/extras/postfix-showq @@ -19,7 +19,7 @@ profile postfix-showq /usr/lib{,exec}/postfix/{bin/,sbin/,}showq { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}showq mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/ r, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* r, diff --git a/profiles/apparmor/profiles/extras/postfix-smtp b/profiles/apparmor/profiles/extras/postfix-smtp index dbef2c9e7..de06ddc9e 100644 --- a/profiles/apparmor/profiles/extras/postfix-smtp +++ b/profiles/apparmor/profiles/extras/postfix-smtp @@ -23,7 +23,7 @@ profile postfix-smtp /usr/lib{,exec}/postfix/{bin/,sbin/,}smtp { capability dac_read_search, capability net_bind_service, - /usr/lib{,exec}/postfix/{bin/,sbin/,}smtp mrix, + @{exec_path} mrix, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/* rwl, /{var/spool/postfix/,}active/[0-9A-F]/[0-9A-F]/ rwl, diff --git a/profiles/apparmor/profiles/extras/postfix-smtpd b/profiles/apparmor/profiles/extras/postfix-smtpd index ca7e57072..eeea89777 100644 --- a/profiles/apparmor/profiles/extras/postfix-smtpd +++ b/profiles/apparmor/profiles/extras/postfix-smtpd @@ -24,7 +24,7 @@ profile postfix-smtpd /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd { capability dac_override, capability dac_read_search, - /usr/lib{,exec}/postfix/{bin/,sbin/,}smtpd mrix, + @{exec_path} mrix, /usr/sbin/postdrop rPx, /dev/urandom r, diff --git a/profiles/apparmor/profiles/extras/postfix-spawn b/profiles/apparmor/profiles/extras/postfix-spawn index 0f44e28f8..b4fb53c07 100644 --- a/profiles/apparmor/profiles/extras/postfix-spawn +++ b/profiles/apparmor/profiles/extras/postfix-spawn @@ -18,7 +18,7 @@ profile postfix-spawn /usr/lib{,exec}/postfix/{bin/,sbin/,}spawn { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}spawn mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-tlsmgr b/profiles/apparmor/profiles/extras/postfix-tlsmgr index 9b23d1d95..304af2b33 100644 --- a/profiles/apparmor/profiles/extras/postfix-tlsmgr +++ b/profiles/apparmor/profiles/extras/postfix-tlsmgr @@ -19,7 +19,7 @@ profile postfix-tlsmgr /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsmgr { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsmgr mrix, + @{exec_path} mrix, /var/spool/postfix/dev/urandom r, /{etc,var/lib}/postfix/prng_exch rwk, diff --git a/profiles/apparmor/profiles/extras/postfix-tlsproxy b/profiles/apparmor/profiles/extras/postfix-tlsproxy index 2f94edb17..60207de56 100644 --- a/profiles/apparmor/profiles/extras/postfix-tlsproxy +++ b/profiles/apparmor/profiles/extras/postfix-tlsproxy @@ -20,7 +20,7 @@ profile postfix-tlsproxy /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsproxy { capability dac_read_search, - /usr/lib{,exec}/postfix/{bin/,sbin/,}tlsproxy mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-trivial-rewrite b/profiles/apparmor/profiles/extras/postfix-trivial-rewrite index c6ec25b7b..42f726147 100644 --- a/profiles/apparmor/profiles/extras/postfix-trivial-rewrite +++ b/profiles/apparmor/profiles/extras/postfix-trivial-rewrite @@ -21,7 +21,7 @@ profile postfix-trivial-rewrite /usr/lib{,exec}/postfix/{bin/,sbin/,}trivial-rew capability dac_read_search, - /usr/lib{,exec}/postfix/{bin/,sbin/,}trivial-rewrite mrix, + @{exec_path} mrix, /etc/{m,fs}tab r, /var/spool/postfix/pid/unix.rewrite rw, diff --git a/profiles/apparmor/profiles/extras/postfix-verify b/profiles/apparmor/profiles/extras/postfix-verify index 4b4a33721..c9502b80c 100644 --- a/profiles/apparmor/profiles/extras/postfix-verify +++ b/profiles/apparmor/profiles/extras/postfix-verify @@ -18,7 +18,7 @@ profile postfix-verify /usr/lib{,exec}/postfix/{bin/,sbin/,}verify { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}verify mrix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/postfix-virtual b/profiles/apparmor/profiles/extras/postfix-virtual index b42df4ce4..fb798d009 100644 --- a/profiles/apparmor/profiles/extras/postfix-virtual +++ b/profiles/apparmor/profiles/extras/postfix-virtual @@ -18,7 +18,7 @@ profile postfix-virtual /usr/lib{,exec}/postfix/{bin/,sbin/,}virtual { include include - /usr/lib{,exec}/postfix/{bin/,sbin/,}virtual mrix, + @{exec_path} mrix, /var/spool/postfix/active/* rw, /var/spool/postfix/pid/unix.virtual rw, diff --git a/profiles/apparmor/profiles/extras/rpcbind b/profiles/apparmor/profiles/extras/rpcbind index 52339df6e..0fc8daa91 100644 --- a/profiles/apparmor/profiles/extras/rpcbind +++ b/profiles/apparmor/profiles/extras/rpcbind @@ -20,7 +20,7 @@ profile rpcbind /{usr/,}sbin/rpcbind { /etc/default/rpcbind r, /etc/netconfig r, /etc/rpcbind.conf r, - /{usr/,}sbin/rpcbind mrix, + @{exec_path} mrix, @{run}/rpcbind.lock rwk, @{run}/rpcbind.sock rwk, @{run}/rpcbind/portmap.xdr rw, diff --git a/profiles/apparmor/profiles/extras/sbin.dhclient b/profiles/apparmor/profiles/extras/sbin.dhclient index 285c07e8b..bb67da45c 100644 --- a/profiles/apparmor/profiles/extras/sbin.dhclient +++ b/profiles/apparmor/profiles/extras/sbin.dhclient @@ -35,7 +35,7 @@ profile dhclient /{usr/,}sbin/dhclient { signal (send,receive) set=(term) peer=NetworkManager, - /{usr/,}sbin/dhclient mrix, + @{exec_path} mrix, /{usr/,}bin/bash mrix, /{usr/,}bin/df mrix, diff --git a/profiles/apparmor/profiles/extras/sbin.dhclient-script b/profiles/apparmor/profiles/extras/sbin.dhclient-script index a73809e87..d24c51fc3 100644 --- a/profiles/apparmor/profiles/extras/sbin.dhclient-script +++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script @@ -23,7 +23,7 @@ profile dhclient-script /{usr/,}sbin/dhclient-script { /etc/netconfig.d/* mrix, /etc/sysconfig/network/** r, /etc/dhcp/{**,} r, - /{usr/,}sbin/dhclient-script r, + @{exec_path} r, /{usr/,}sbin/ip rix, /{usr/,}sbin/resolvconf rPUx, diff --git a/profiles/apparmor/profiles/extras/sbin.dhcpcd b/profiles/apparmor/profiles/extras/sbin.dhcpcd index 3d8e7d924..8f33c0c79 100644 --- a/profiles/apparmor/profiles/extras/sbin.dhcpcd +++ b/profiles/apparmor/profiles/extras/sbin.dhcpcd @@ -37,7 +37,7 @@ profile dhcpcd /{usr/,}sbin/dhcpcd { /etc/ntp.conf{,.sv} rwl, /etc/sysconfig/network/scripts/dhcpcd-hook rmix, /etc/yp.conf{,.sv} rwl, - /{usr/,}sbin/dhcpcd rmix, + @{exec_path} mrix, /{usr/,}sbin/ifup Ux, # fixme /{usr/,}sbin/modify_resolvconf rmix, /var/lib/dhcpcd/dhcpcd-*.cache rw, diff --git a/profiles/apparmor/profiles/extras/sbin.portmap b/profiles/apparmor/profiles/extras/sbin.portmap index e2783fd3f..228f601ce 100644 --- a/profiles/apparmor/profiles/extras/sbin.portmap +++ b/profiles/apparmor/profiles/extras/sbin.portmap @@ -22,7 +22,7 @@ profile portmap /{usr/,}sbin/portmap { capability setgid, /etc/bindresvport.blacklist r, - /{usr/,}sbin/portmap rmix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/sbin.resmgrd b/profiles/apparmor/profiles/extras/sbin.resmgrd index ba825eb46..27f125ca3 100644 --- a/profiles/apparmor/profiles/extras/sbin.resmgrd +++ b/profiles/apparmor/profiles/extras/sbin.resmgrd @@ -25,7 +25,7 @@ profile resmgrd /{usr/,}sbin/resmgrd { /etc/resmgr.conf r, /etc/resmgr.conf.d/ r, /etc/resmgr.conf.d/*.conf r, - /{usr/,}sbin/resmgrd r, + @{exec_path} r, /{,var/}run/.resmgr_socket lrw, /{,var/}run/resmgr.pid lrw, /{,var/}run/fence* lrw, diff --git a/profiles/apparmor/profiles/extras/sbin.rpc.lockd b/profiles/apparmor/profiles/extras/sbin.rpc.lockd index 772e12551..f22c180fa 100644 --- a/profiles/apparmor/profiles/extras/sbin.rpc.lockd +++ b/profiles/apparmor/profiles/extras/sbin.rpc.lockd @@ -14,7 +14,7 @@ include profile rpc.lockd /{usr/,}sbin/rpc.lockd { include - /{usr/,}sbin/rpc.lockd rmix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/sbin.rpc.statd b/profiles/apparmor/profiles/extras/sbin.rpc.statd index 42ba0ce29..eb61239eb 100644 --- a/profiles/apparmor/profiles/extras/sbin.rpc.statd +++ b/profiles/apparmor/profiles/extras/sbin.rpc.statd @@ -37,7 +37,7 @@ profile rpc.statd /{usr/,}sbin/rpc.statd { /etc/nfs.conf.d/ r, /etc/nfs.conf.d/* rk, /etc/rpc r, - /{usr/,}sbin/rpc.statd mrix, + @{exec_path} mrix, /{usr/,}sbin/sm-notify mrix, /var/lib/nfs/sm/ r, /var/lib/nfs/sm/* rw, diff --git a/profiles/apparmor/profiles/extras/socat b/profiles/apparmor/profiles/extras/socat index 2baf38c00..ad9f43e30 100644 --- a/profiles/apparmor/profiles/extras/socat +++ b/profiles/apparmor/profiles/extras/socat @@ -35,7 +35,7 @@ profile socat /usr/bin/socat { network, # Allow executable mapping and read for the binary - file mr /usr/bin/socat, + mr @{exec_path}, # Enable /dev/ptmx access for testsuite # file rw /dev/ptmx, diff --git a/profiles/apparmor/profiles/extras/usr.NX.bin.nxclient b/profiles/apparmor/profiles/extras/usr.NX.bin.nxclient index 969d0007e..09c2bd03c 100644 --- a/profiles/apparmor/profiles/extras/usr.NX.bin.nxclient +++ b/profiles/apparmor/profiles/extras/usr.NX.bin.nxclient @@ -23,7 +23,7 @@ include /{usr/,}bin/bash mix, /usr/bin/cut mix, - /usr/NX/bin/nxclient rmix, + @{exec_path} mrix, /usr/NX/bin/nxssh mix, /usr/NX/bin/nxproxy mix, /usr/NX/lib/** mr, diff --git a/profiles/apparmor/profiles/extras/usr.bin.apropos b/profiles/apparmor/profiles/extras/usr.bin.apropos index a39edb466..b6b4d0bc9 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.apropos +++ b/profiles/apparmor/profiles/extras/usr.bin.apropos @@ -20,7 +20,7 @@ include /{usr/,}bin/bash mixr, /{usr/,}bin/grep mixr, /etc/manpath.config r, - /usr/bin/apropos rmix, + @{exec_path} mr, /usr/bin/man Px, /usr/bin/tr mixr, /var/cache/man/whatis r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.dumpcap b/profiles/apparmor/profiles/extras/usr.bin.dumpcap index f01295c63..426bcca92 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.dumpcap +++ b/profiles/apparmor/profiles/extras/usr.bin.dumpcap @@ -29,7 +29,7 @@ include /sys/class/net/ r, /sys/devices/**/net/* r, - /usr/bin/dumpcap mr, + @{exec_path} mr, /usr/share/GeoIP/ r, /usr/share/GeoIP/** r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 b/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 index d68a2eba9..9bec79fb6 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 +++ b/profiles/apparmor/profiles/extras/usr.bin.evolution-2.10 @@ -110,7 +110,7 @@ include @{HOME}/.qt/** lrw, @{HOME}/.recently-used rw, - /usr/bin/evolution-2.10 mixr, + @{exec_path} mrix, /usr/bin/firefox Pxr, /usr/lib/** r, /usr/lib/GConf/2/gconfd-2 Px, diff --git a/profiles/apparmor/profiles/extras/usr.bin.fam b/profiles/apparmor/profiles/extras/usr.bin.fam index fa50df548..17113fbb8 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.fam +++ b/profiles/apparmor/profiles/extras/usr.bin.fam @@ -17,7 +17,7 @@ include include /tmp/.fam* wl, /etc/mtab rw, - /usr/bin/fam rmix, + @{exec_path} mrix, # it makes some level of sense for FAM to read all files on the # filesystem, even if this is a little unfortunate. /** r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.freshclam b/profiles/apparmor/profiles/extras/usr.bin.freshclam index 8ddbb5aa3..1477909a4 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.freshclam +++ b/profiles/apparmor/profiles/extras/usr.bin.freshclam @@ -23,7 +23,8 @@ include /etc/clamd.conf r, /etc/freshclam.conf r, - /usr/bin/freshclam mr, + @{exec_path} mr, + /var/lib/clamav/** rw, owner /run/clamav/freshclam.pid w, diff --git a/profiles/apparmor/profiles/extras/usr.bin.gaim b/profiles/apparmor/profiles/extras/usr.bin.gaim index 994f53ce0..0b6323184 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.gaim +++ b/profiles/apparmor/profiles/extras/usr.bin.gaim @@ -43,7 +43,7 @@ include @{HOME}/.themes/** r, /opt/MozillaFirefox/bin/firefox.sh Px, - /usr/bin/gaim mixr, + @{exec_path} mrix, /usr/lib/GConf/2/gconfd-2 Px, /usr/share/icons r, /usr/share/icons/** r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.man b/profiles/apparmor/profiles/extras/usr.bin.man index ce91c0b4d..a469f14b1 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.man +++ b/profiles/apparmor/profiles/extras/usr.bin.man @@ -23,7 +23,7 @@ include capability setgid, capability setuid, - /usr/bin/man r, + @{exec_path} r, /usr/lib/man-db/man Px, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce index b231ac8a1..321ba4f85 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-bounce @@ -17,7 +17,7 @@ include /usr/bin/mlmmj-bounce { include - /usr/bin/mlmmj-bounce mr, + @{exec_path} mr, /usr/bin/mlmmj-send Px, /usr/bin/mlmmj-maintd Px, /var/spool/mlmmj/*/subscribers.d/ r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd index 39235fb12..9dbd8910c 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-maintd @@ -19,7 +19,7 @@ include capability setuid, - /usr/bin/mlmmj-maintd mr, + @{exec_path} mr, /usr/bin/mlmmj-send Px, /usr/bin/mlmmj-bounce Px, /usr/bin/mlmmj-unsub Px, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh index 5133f9877..def7ee773 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-make-ml.sh @@ -21,7 +21,7 @@ include capability sys_admin, - /usr/bin/mlmmj-make-ml.sh r, + @{exec_path} r, # some shell tools are needed /{usr/,}bin/domainname mix, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-process b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-process index ba33624d7..00e7d20dc 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-process +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-process @@ -17,7 +17,8 @@ include /usr/bin/mlmmj-process { include - /usr/bin/mlmmj-process mr, + + @{exec_path} mr, /usr/bin/mlmmj-send Px, /usr/bin/mlmmj-sub Px, /usr/bin/mlmmj-unsub Px, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive index 450ac53fc..c0553a027 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-receive @@ -18,7 +18,7 @@ include include /usr/bin/mlmmj-process Px, - /usr/bin/mlmmj-receive mr, + @{exec_path} mr, /var/spool/mlmmj/*/incoming/ rw, /var/spool/mlmmj/*/incoming/* rw, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve index bfd786cce..4c2ab76d8 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-recieve @@ -21,7 +21,7 @@ include include /usr/bin/mlmmj-process Px, - /usr/bin/mlmmj-recieve mr, + @{exec_path} mr, /var/spool/mlmmj/*/incoming/* w, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-send b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-send index a3fc0feaa..d10fd2873 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-send +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-send @@ -18,7 +18,7 @@ include include include - /usr/bin/mlmmj-send mr, + @{exec_path} mr, /var/spool/mlmmj/*/archive/* w, /var/spool/mlmmj/*/control/* r, /var/spool/mlmmj/*/index rwk, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub index f5c36c832..5c9039510 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-sub @@ -20,7 +20,7 @@ include capability setuid, /usr/bin/mlmmj-send Px, - /usr/bin/mlmmj-sub mr, + @{exec_path} mr, /var/spool/mlmmj/*/control/ r, /var/spool/mlmmj/*/control/* r, /var/spool/mlmmj/*/moderation/subscribe* rw, diff --git a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub index 7097a81cd..26089de4c 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub +++ b/profiles/apparmor/profiles/extras/usr.bin.mlmmj-unsub @@ -17,7 +17,7 @@ include /usr/bin/mlmmj-unsub { include - /usr/bin/mlmmj-unsub mr, + @{exec_path} mr, /usr/bin/mlmmj-send Px, /var/spool/mlmmj/*/control/ r, /var/spool/mlmmj/*/control/* r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.opera b/profiles/apparmor/profiles/extras/usr.bin.opera index 7f9432b7c..30e53120a 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.opera +++ b/profiles/apparmor/profiles/extras/usr.bin.opera @@ -69,7 +69,8 @@ include /{,var/}run/.resmgr_socket w, /var/spool/cups/tmp/* lrw, - /usr/bin/opera mr, + @{exec_path} mr, + /usr/lib/jvm/java-1.5.0-sun-1.5.0_update12/jre/lib/i386/*.so mr, /usr/lib/jvm/java-1.5.0-sun-1.5.0_update12/jre/lib/i386/client/*.so mr, /usr/lib/opera/*/opera ix, diff --git a/profiles/apparmor/profiles/extras/usr.bin.passwd b/profiles/apparmor/profiles/extras/usr.bin.passwd index 8356c2437..e027d3e68 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.passwd +++ b/profiles/apparmor/profiles/extras/usr.bin.passwd @@ -38,7 +38,7 @@ include @{PROC}/@{pid}/loginuid r, - /usr/bin/passwd mr, + @{exec_path} mr, /usr/lib/pwdutils/lib*.so* mr, /usr/lib64/pwdutils/lib*.so* mr, /usr/share/cracklib/pw_dict.hwm r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.procmail b/profiles/apparmor/profiles/extras/usr.bin.procmail index eb7ed544a..f47b3ebf2 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.procmail +++ b/profiles/apparmor/profiles/extras/usr.bin.procmail @@ -33,7 +33,7 @@ include /{usr/,}bin/date rmix, /{usr/,}bin/gzip rmix, /usr/bin/formail rmix, - /usr/bin/procmail rmix, + @{exec_path} mrix, /usr/bin/spamc Px, /usr/sbin/sendmail rPx, diff --git a/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket b/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket index 01528f97d..643fe7243 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket +++ b/profiles/apparmor/profiles/extras/usr.bin.pyzorsocket @@ -18,7 +18,7 @@ profile pyzorsocket /usr/bin/pyzorsocket { /usr/bin/ r, /usr/bin/python[2-9]* ix, - /usr/bin/pyzorsocket r, + @{exec_path} r, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.bin.razorsocket b/profiles/apparmor/profiles/extras/usr.bin.razorsocket index 8e40285b8..5cd146c3f 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.razorsocket +++ b/profiles/apparmor/profiles/extras/usr.bin.razorsocket @@ -16,7 +16,7 @@ profile razorsocket /usr/bin/razorsocket { include include - /usr/bin/razorsocket r, + @{exec_path} r, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.bin.skype b/profiles/apparmor/profiles/extras/usr.bin.skype index a49cba1ce..4bcbf76cc 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.skype +++ b/profiles/apparmor/profiles/extras/usr.bin.skype @@ -44,7 +44,7 @@ include # should this be in a separate KDE abstraction? owner @{HOME}/.kde{,4}/share/config/kioslaverc r, - /usr/bin/skype mr, + @{exec_path} mr, /etc/xdg/sni-qt.conf rk, /etc/xdg/Trolltech.conf rk, /usr/share/skype/** kr, diff --git a/profiles/apparmor/profiles/extras/usr.bin.spamc b/profiles/apparmor/profiles/extras/usr.bin.spamc index 829f8cc12..ee6a461df 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.spamc +++ b/profiles/apparmor/profiles/extras/usr.bin.spamc @@ -18,7 +18,7 @@ include include include - /usr/bin/spamc r, + @{exec_path} r, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.bin.wireshark b/profiles/apparmor/profiles/extras/usr.bin.wireshark index 439c06cc9..e89823015 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.wireshark +++ b/profiles/apparmor/profiles/extras/usr.bin.wireshark @@ -77,7 +77,7 @@ include /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mime/* r, /usr/lib/firefox/firefox.sh rPx, - /usr/bin/wireshark mixr, + @{exec_path} mrix, /usr/share/mime/* r, /usr/share/qt[45]/translations/* r, /usr/share/snmp/mibs r, diff --git a/profiles/apparmor/profiles/extras/usr.bin.xfs b/profiles/apparmor/profiles/extras/usr.bin.xfs index 05437dc52..20b743771 100644 --- a/profiles/apparmor/profiles/extras/usr.bin.xfs +++ b/profiles/apparmor/profiles/extras/usr.bin.xfs @@ -21,7 +21,7 @@ include /etc/X11/fs/config r, /etc/mtab r, /tmp/.font-unix/fs710[0-9] wl, - /usr/bin/xfs rmix, + @{exec_path} mrix, /{,var/}run/xfs.pid rw, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 b/profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 index f27e6fef1..b6497e5bf 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 +++ b/profiles/apparmor/profiles/extras/usr.lib.GConf.2.gconfd-2 @@ -29,7 +29,7 @@ include @{HOME}/.gconf/** lrw, @{HOME}/.gconfd/** lrw, - /usr/lib/GConf/2/gconfd-2 rmix, + @{exec_path} mrix, /usr/lib/GConf/2/libgconfbackend-xml.so mr, /usr/lib64/GConf/2/libgconfbackend-xml.so mr, /usr/share/locale/** r, diff --git a/profiles/apparmor/profiles/extras/usr.lib.bonobo.bonobo-activation-server b/profiles/apparmor/profiles/extras/usr.lib.bonobo.bonobo-activation-server index ca34ca708..ec5c35af8 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.bonobo.bonobo-activation-server +++ b/profiles/apparmor/profiles/extras/usr.lib.bonobo.bonobo-activation-server @@ -20,7 +20,7 @@ include include /etc/bonobo-activation/bonobo-activation-config.xml r, - /usr/lib/bonobo/bonobo-activation-server rmix, + @{exec_path} mrix, /usr/lib/bonobo/servers r, /usr/lib/bonobo/servers/*.server r, /usr/lib/evolution-data-server-*/evolution-data-server-* Px, diff --git a/profiles/apparmor/profiles/extras/usr.lib.firefox.mozilla-xremote-client b/profiles/apparmor/profiles/extras/usr.lib.firefox.mozilla-xremote-client index 19ac191e6..56d64e763 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.firefox.mozilla-xremote-client +++ b/profiles/apparmor/profiles/extras/usr.lib.firefox.mozilla-xremote-client @@ -19,7 +19,7 @@ include include /usr/lib/mozilla/lib*so* mr, - /usr/lib/firefox/mozilla-xremote-client rmix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.lib.man-db.man b/profiles/apparmor/profiles/extras/usr.lib.man-db.man index 98f0108d0..f80cc0c5d 100644 --- a/profiles/apparmor/profiles/extras/usr.lib.man-db.man +++ b/profiles/apparmor/profiles/extras/usr.lib.man-db.man @@ -46,7 +46,7 @@ include /usr/bin/iconv rmix, /{usr/,}bin/less rmix, /usr/bin/locale rmix, - /usr/bin/man rmix, + @{exec_path} mrix, /usr/bin/nroff rmix, /usr/bin/preconv rmix, /usr/bin/tbl rmix, diff --git a/profiles/apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 b/profiles/apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 index dcab9c0ad..033b1fe99 100644 --- a/profiles/apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 +++ b/profiles/apparmor/profiles/extras/usr.lib64.GConf.2.gconfd-2 @@ -29,7 +29,7 @@ include @{HOME}/.gconf/** lrw, @{HOME}/.gconfd/** lrw, - /usr/lib64/GConf/2/gconfd-2 rmix, + @{exec_path} mrix, /usr/lib/GConf/2/libgconfbackend-xml.so mr, /usr/lib64/GConf/2/libgconfbackend-xml.so mr, /usr/share/locale/** r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.clamd b/profiles/apparmor/profiles/extras/usr.sbin.clamd index 92915e49c..e328553c9 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.clamd +++ b/profiles/apparmor/profiles/extras/usr.sbin.clamd @@ -20,7 +20,7 @@ profile clamd /usr/sbin/clamd { capability setuid, /etc/clamd.conf r, - /usr/sbin/clamd mr, + @{exec_path} mr, /var/lib/clamav/ r, /var/lib/clamav/** r, owner /run/clamav/clamd.pid w, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.cupsd b/profiles/apparmor/profiles/extras/usr.sbin.cupsd index b5bb1ea9b..a49e2666a 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd +++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd @@ -52,7 +52,7 @@ include /usr/bin/smbspool ixr, /usr/lib/cups/backend/* ixr, /usr/lib/cups/filter/* ixr, - /usr/sbin/cupsd mixr, + @{exec_path} mrix, /usr/share/cups/** r, /var/log/cups/access_log rw, /var/log/cups/error_log rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd index 2080af228..fc67b121a 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd @@ -32,7 +32,7 @@ include /etc/named.d/* r, @{PROC}/net/dev r, @{PROC}/sys/net/ipv4/ip_local_port_range r, - /usr/sbin/dhcpd rmix, + @{exec_path} mrix, /var/lib/dhcp/{db/,}dhcpd{6,}.leases* rwl, /var/lib/dhcp/etc/dhcpd.conf r, /{,var/}run/dhcpd.pid wl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.haproxy b/profiles/apparmor/profiles/extras/usr.sbin.haproxy index 998c6aa83..98db51240 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.haproxy +++ b/profiles/apparmor/profiles/extras/usr.sbin.haproxy @@ -33,7 +33,7 @@ profile haproxy /usr/sbin/haproxy { /etc/haproxy/* r, - /usr/sbin/haproxy rmix, + @{exec_path} mrix, /var/lib/haproxy/stats rwl, /var/lib/haproxy/stats.*.bak rwl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork index 3e401db9f..450667408 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork +++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork @@ -79,7 +79,7 @@ include /usr/local/tomcat/conf/mod_jk.conf r, /usr/local/tomcat/conf/workers-ajp12.properties r, - /usr/sbin/httpd2-prefork r, + @{exec_path} r, /usr/share/misc/magic.mime r, /usr/share/snmp/mibs r, /usr/share/snmp/mibs/*.{txt,mib} r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.imapd b/profiles/apparmor/profiles/extras/usr.sbin.imapd index af41f7f1b..7c2e82b2a 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.imapd +++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd @@ -20,7 +20,7 @@ include /dev/urandom r, /tmp/* rwl, - /usr/sbin/imapd r, + @{exec_path} r, /usr/share/ssl/certs/imapd.pem r, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.in.ftpd b/profiles/apparmor/profiles/extras/usr.sbin.in.ftpd index 04762d8f9..f3380e363 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.in.ftpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.in.ftpd @@ -29,7 +29,7 @@ include @{HOMEDIRS} r, @{HOME}/** rwl, - /usr/sbin/in.ftpd r, + @{exec_path} r, /usr/share/ssl/certs/ca-bundle.crt r, /usr/share/ssl/certs/ftpd-rsa.pem r, /usr/share/ssl/private/ftpd-rsa-key.pem r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd b/profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd index eb0055142..b5ea10a24 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd +++ b/profiles/apparmor/profiles/extras/usr.sbin.in.ntalkd @@ -17,7 +17,7 @@ include include include - /usr/sbin/in.ntalkd r, + @{exec_path} r, /{,var/}run/utmp r, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d index 0496cd37b..bf1a9f2b2 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d +++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d @@ -20,7 +20,7 @@ include /dev/urandom r , /tmp/.* rwl , - /usr/sbin/ipop2d rmix, + @{exec_path} mrix, /usr/share/ssl/certs/ipop2d.pem r , # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d index 84963c588..34f5cd422 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d +++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d @@ -20,7 +20,7 @@ include /dev/urandom r , /tmp/.* rwl , - /usr/sbin/ipop3d rmix, + @{exec_path} mrix, /usr/share/ssl/certs/ipop3d.pem r , # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd index 50ff318e4..29ad95634 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd @@ -37,7 +37,7 @@ include /etc/lighttpd/auth.d/* r, /etc/lighttpd/vhosts.d r, /etc/lighttpd/vhosts.d/* r, - /usr/sbin/lighttpd mix, + @{exec_path} mrix, /usr/lib/lighttpd/*.so mr, /usr/lib64/lighttpd/*.so mr, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.mysqld b/profiles/apparmor/profiles/extras/usr.sbin.mysqld index 40cdbd685..295eab836 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.mysqld +++ b/profiles/apparmor/profiles/extras/usr.sbin.mysqld @@ -33,7 +33,7 @@ include /root/.my.cnf r, /sys/devices/system/cpu/online r, /usr/lib{,32,64}/**.so mr, - /usr/sbin/mysqld mr, + @{exec_path} mr, /usr/share/mariadb/*/errmsg.sys r, /usr/share/mysql-community-server/*/errmsg.sys r, /usr/share/mysql/** r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.popper b/profiles/apparmor/profiles/extras/usr.sbin.popper index 155d0d2ee..d20da6355 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.popper +++ b/profiles/apparmor/profiles/extras/usr.sbin.popper @@ -23,7 +23,7 @@ include capability setgid, capability setuid, - /usr/sbin/popper mr, + @{exec_path} mr, /var/spool/mail/* rw, # Site-specific additions and overrides. See local/README for details. diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postalias b/profiles/apparmor/profiles/extras/usr.sbin.postalias index 644b2ec2b..20734fb1b 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postalias +++ b/profiles/apparmor/profiles/extras/usr.sbin.postalias @@ -27,7 +27,7 @@ include /etc/postfix/aliases.{lm,}db rwl, /etc/postfix/__db.aliases.db lrw, /etc/__db.aliases.db rwl, - /usr/sbin/postalias rmix, + @{exec_path} mrix, @{PROC}/net/if_inet6 r, # On SuSE, mailman is configured to use its own alias db /var/lib/mailman/data/aliases r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postdrop b/profiles/apparmor/profiles/extras/usr.sbin.postdrop index 77ab08948..97a5ffe7e 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postdrop +++ b/profiles/apparmor/profiles/extras/usr.sbin.postdrop @@ -27,7 +27,7 @@ include /etc/postfix/main.cf r, /etc/postfix/postfix-script mixr, @{PROC}/net/if_inet6 r, - /usr/sbin/postdrop rmix, + @{exec_path} mrix, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/spool/postfix r, /var/spool/postfix/maildrop r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postmap b/profiles/apparmor/profiles/extras/usr.sbin.postmap index 6501a34a2..7c150c2a8 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postmap +++ b/profiles/apparmor/profiles/extras/usr.sbin.postmap @@ -26,7 +26,7 @@ include /etc/postfix/*.lmdb rwlk, @{PROC}/net/if_inet6 r, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, - /usr/sbin/postmap rmix, + @{exec_path} mrix, # Site-specific additions and overrides. See local/README for details. include if exists diff --git a/profiles/apparmor/profiles/extras/usr.sbin.postqueue b/profiles/apparmor/profiles/extras/usr.sbin.postqueue index dbaa49448..8a6b49ade 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.postqueue +++ b/profiles/apparmor/profiles/extras/usr.sbin.postqueue @@ -23,7 +23,7 @@ include capability dac_override, /etc/postfix r, - /usr/sbin/postqueue rmix, + @{exec_path} mrix, /usr/lib{,exec}/postfix/{bin/,sbin/,}showq Px, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/spool/postfix r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail index 46ab43df9..0023931b4 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail @@ -58,9 +58,9 @@ include /usr/sbin/postalias Px, /usr/sbin/postdrop Px, /usr/sbin/postqueue Px, - /usr/sbin/sendmail rmix, - /usr/sbin/sendmail.postfix rmix, - /usr/sbin/sendmail.sendmail rmix, + @{exec_path} mrix, + @{exec_path}.postfix mrix, + @{exec_path}.sendmail mrix, /usr/share/icu/[0-9]*.[0-9]*/*.dat r, /var/lib/sendmail/statistics rwl, /{,var/}run/sendmail.pid rwl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix index efbe3bfb4..8775d4d20 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.postfix @@ -33,7 +33,7 @@ include /usr/sbin/postalias Px, /usr/sbin/postdrop Px, /usr/sbin/postqueue Px, - /usr/sbin/sendmail.postfix rmix, + @{exec_path} mrix, /var/spool/postfix/ r, /var/spool/postfix/active r, /var/spool/postfix/bounce r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail index 04da74786..63977d9af 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail +++ b/profiles/apparmor/profiles/extras/usr.sbin.sendmail.sendmail @@ -36,7 +36,7 @@ include /usr/lib/sasl/* mr, /usr/lib/sasl2 r, /usr/lib/sasl2/* mr, - /usr/sbin/sendmail.sendmail rmix, + @{exec_path} mrix, /{,var/}run/sendmail.pid rwl, /{,var/}run/sm-client.pid rwl, /{,var/}run/utmp rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.spamd b/profiles/apparmor/profiles/extras/usr.sbin.spamd index 9ff81479d..4caaa2ee3 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.spamd +++ b/profiles/apparmor/profiles/extras/usr.sbin.spamd @@ -34,7 +34,7 @@ include /tmp/spamd-*-init r, /tmp/spamd-*-init/** lrw, /usr/bin/perl mix, - /usr/sbin/spamd r, + @{exec_path} r, /usr/share/spamassassin r, /usr/share/spamassassin/*.cf r, /usr/share/spamassassin/*.template r, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.squid b/profiles/apparmor/profiles/extras/usr.sbin.squid index fbdfec704..1fb203ac1 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.squid +++ b/profiles/apparmor/profiles/extras/usr.sbin.squid @@ -23,7 +23,7 @@ include capability setuid, /usr/lib/squid/* rmix, - /usr/sbin/squid rmix, + @{exec_path} mrix, /usr/sbin/unlinkd mixr, /var/cache/squid/** lrw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.sshd b/profiles/apparmor/profiles/extras/usr.sbin.sshd index c50540d4b..ceb7003f0 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.sshd +++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd @@ -67,7 +67,7 @@ include /etc/security/** r, /etc/ssh/** r, /etc/ssl/openssl.cnf r, - /usr/sbin/sshd mrix, + @{exec_path} mrix, /usr/share/ssh/blacklist.* r, /var/log/btmp rw, owner @{run}/sshd{,.init}.pid wl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.useradd b/profiles/apparmor/profiles/extras/usr.sbin.useradd index f05dd3aac..da1dc9be5 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.useradd +++ b/profiles/apparmor/profiles/extras/usr.sbin.useradd @@ -55,8 +55,8 @@ include /usr/sbin/adduser rmix, /usr/sbin/nscd rPix, /{,usr/}sbin/pam_tally2 Cx -> pam_tally2, - /usr/sbin/useradd rmix, - /usr/sbin/useradd.local rmix, + @{exec_path} mrix, + @{exec_path}.local mrix, /var/log/faillog rw, /{,var/}run/nscd.pid rw, /var/spool/mail/* rw, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.userdel b/profiles/apparmor/profiles/extras/usr.sbin.userdel index cd210496b..75b2879ba 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.userdel +++ b/profiles/apparmor/profiles/extras/usr.sbin.userdel @@ -43,9 +43,9 @@ include @{PROC}/@{pid}/mounts r, /usr/bin/crontab rmix, /usr/lib*/pwdutils/*.so.* mr, - /usr/sbin/userdel rmix, - /usr/sbin/userdel-post.local rmix, - /usr/sbin/userdel-pre.local rmix, + @{exec_path} mrix, + @{exec_path}-post.local mrix, + @{exec_path}-pre.local mrix, # XXX /{,var/}run/nscd.pid r, /var/spool/mail/* wl, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd index e081e6d08..9b49fffe5 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.vsftpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.vsftpd @@ -28,7 +28,7 @@ include /etc/vsftpd.* r, /etc/vsftpd/* r, /@{PROC}/@{pid}/mounts r, - /usr/sbin/vsftpd rmix, + @{exec_path} mrix, /{,var/}run/utmp rk, /var/log/vsftpd.log w, /var/log/xferlog w, diff --git a/profiles/apparmor/profiles/extras/usr.sbin.xinetd b/profiles/apparmor/profiles/extras/usr.sbin.xinetd index 0a66ad10d..be5cddaf4 100644 --- a/profiles/apparmor/profiles/extras/usr.sbin.xinetd +++ b/profiles/apparmor/profiles/extras/usr.sbin.xinetd @@ -24,7 +24,7 @@ include /etc/xinetd.conf r, /etc/xinetd.d r, /etc/xinetd.d/* r, - /usr/sbin/xinetd rmix, + @{exec_path} mrix, /var/log/xinetd.log w, /{,var/}run/xinetd.pid rwl, From fba1ced1bca71a4c64244a2f3e604070b7f0f09a Mon Sep 17 00:00:00 2001 From: John Johansen Date: Fri, 9 May 2025 04:52:53 -0700 Subject: [PATCH 4/6] fixup profile --- profiles/apparmor.d/ipa_verify | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/profiles/apparmor.d/ipa_verify b/profiles/apparmor.d/ipa_verify index 0b12f98da..1f03793e5 100644 --- a/profiles/apparmor.d/ipa_verify +++ b/profiles/apparmor.d/ipa_verify @@ -3,16 +3,12 @@ abi , include @{arg1}=/**/*.so -profile ipa_verify /usr/bin/ipa_verify flags=(unconfined) { - userns, - @{exec_path} mr, - profile ipa_verify /usr/bin/ipa_verify { include # Until we can replace arg1 above with real arg parsing include - /usr/bin/ipa_verify r, + @{exec_path} mr, # Probably enumerated by libcamera initialization but not needed for this tool's functionality deny /sys/devices/system/node/ r, From ee3b5d746f3425274f94058b37fbb5b4b2ed0f01 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 7 May 2025 20:34:31 -0700 Subject: [PATCH 5/6] utils: tests: Update the utils tests for the two cases they don't handle - the autovars not being defined because the profile doesn't have an attachment - the autovar conflicting with a user defined var of the same name Signed-off-by: John Johansen --- utils/test/logprof/ping.bin.ping | 2 +- utils/test/test-parser-simple-tests.py | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/utils/test/logprof/ping.bin.ping b/utils/test/logprof/ping.bin.ping index ea415e5bf..d934b5d20 100644 --- a/utils/test/logprof/ping.bin.ping +++ b/utils/test/logprof/ping.bin.ping @@ -28,7 +28,7 @@ profile ping /{usr/,}bin/{,iputils-}ping { /etc/modules.conf r, /proc/21622/cmdline r, - /{usr/,}bin/{,iputils-}ping mrix, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, + @{exec_path} mrix, } diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index 04e03fb68..85cab2fdd 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -35,6 +35,18 @@ skip_startswith = ( # Pux and Cux (which actually mean PUx and CUx) get rejected by the tools 'generated_x/exact-', + + # profiles that use undefined autovars like @{exec_path} when no attachment + 'vars/vars_auto_exec_path_bad_2.sd', + 'vars/vars_auto_attach_path_bad_2.sd', + 'vars/vars_auto_exec_path_bad_3.sd', + 'vars/vars_auto_attach_path_bad_3.sd', + 'vars/vars_auto_exec_path_bad_5.sd', + 'vars/vars_auto_attach_path_bad_5.sd', + + # profiles that define an autovar that then gets defined causing a conflict + 'vars/vars_auto_exec_path_bad_4.sd', + 'vars/vars_auto_attach_path_bad_4.sd', ) # testcases that should raise an exception, but don't From f3178d79b834e8a7606976a87a503064e1d77fdd Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sat, 10 May 2025 09:25:47 -0700 Subject: [PATCH 6/6] parser: make auto vars @{exec_path} and @{attach_path} local vars Make it so the @{exec_path} and @{attach_path} variables behavior completely as local variables, overriding global variables of the same name, instead of conflicting with them. The exec var is only validate for the profile block after the attachment is defined so the pattern @{exec_path}=/path profile test @{exec_path} { @{exec_path} rw, } is valid with the global var defining the attachent which then sets the local auto @{exec_path} and @{attach_path} variables. Signed-off-by: John Johansen --- parser/parser.h | 15 ++++ parser/parser_symtab.c | 88 ++++++++++--------- parser/parser_variable.c | 8 ++ .../vars/vars_auto_attach_path_09.sd | 10 +++ .../vars/vars_auto_attach_path_10.sd | 16 ++++ .../vars/vars_auto_attach_path_11.sd | 10 +++ .../vars/vars_auto_attach_path_bad_4.sd | 10 --- .../vars/vars_auto_exec_path_09.sd | 10 +++ .../vars/vars_auto_exec_path_10.sd | 16 ++++ .../vars/vars_auto_exec_path_11.sd | 10 +++ .../vars/vars_auto_exec_path_bad_4.sd | 10 --- utils/test/test-parser-simple-tests.py | 4 - 12 files changed, 143 insertions(+), 64 deletions(-) create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd delete mode 100644 parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd create mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd delete mode 100644 parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd diff --git a/parser/parser.h b/parser/parser.h index df056aa5d..3e851205f 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -464,12 +464,27 @@ struct set_value { char *val; struct set_value *next; }; +enum var_type { + sd_boolean, + sd_set, +}; + +struct symtab { + char *var_name; + enum var_type type; + int boolean; + struct set_value *values; + struct set_value *expanded; +}; + extern int add_boolean_var(const char *var, int boolean); extern int get_boolean_var(const char *var); extern int new_set_var(const char *var, const char *value); extern int add_set_value(const char *var, const char *value); extern struct set_value *get_set_var(const char *var); extern char *get_next_set_value(struct set_value **context); +extern int insert_set_var(struct symtab *var); +extern struct symtab *remove_set_var(const char *var_name); extern int delete_set_var(const char *var_name); extern void dump_symtab(void); extern void dump_expanded_symtab(void); diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c index 89ae432e9..8f744f913 100644 --- a/parser/parser_symtab.c +++ b/parser/parser_symtab.c @@ -28,18 +28,6 @@ typedef int (*comparison_fn_t)(const void *, const void *); typedef void (*__free_fn_t)(void *); -enum var_type { - sd_boolean, - sd_set, -}; - -struct symtab { - char *var_name; - enum var_type type; - int boolean; - struct set_value *values; - struct set_value *expanded; -}; static void *my_symtab = NULL; @@ -209,12 +197,32 @@ out: return rc; } + +int insert_set_var(struct symtab *var) +{ + struct symtab **result; + + result = (struct symtab **) tsearch(var, &my_symtab, (comparison_fn_t) &compare_symtabs); + if (!result) { + PERROR("Failed to allocate memory: %s\n", strerror(errno)); + return errno; + } + + if (*result != var) { + /* already existing variable */ + PERROR("'%s' is already defined\n", var->var_name); + return 1; + } + + return 0; +} + /* new_set_var * creates copies of arguments, so caller can free them after use */ int new_set_var(const char *var, const char *value) { - struct symtab *n, **result; + struct symtab *n; int rc = 0; n = new_symtab_entry(var); @@ -226,21 +234,9 @@ int new_set_var(const char *var, const char *value) n->type = sd_set; add_to_set(&(n->values), value); - result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs); - if (!result) { - PERROR("Failed to allocate memory: %s\n", strerror(errno)); - rc = errno; - goto err; - } - - if (*result != n) { - /* already existing variable */ - PERROR("'%s' is already defined\n", var); - rc = 1; - goto err; - } - - return 0; + rc = insert_set_var(n); + if (! rc) + return 0; err: free_symtab(n); @@ -331,25 +327,21 @@ char *get_next_set_value(struct set_value **list) return ret; } -/* delete_symbol - * removes an individual variable from the symbol table. We don't - * support this in the language, but for special variables that change - * between profiles, we need this. - */ -int delete_set_var(const char *var_name) + +struct symtab *remove_set_var(const char *var_name) { - int rc = 0; - struct symtab **result, *n, *var; + struct symtab **result, *n, *var = NULL; n = new_symtab_entry(var_name); if (!n) { - rc = ENOMEM; + //rc = ENOMEM; goto out; } result = (struct symtab **) tfind(n, &my_symtab, (comparison_fn_t) &compare_symtabs); if (!result) { /* XXX Warning? */ + //rc = ENOENT; goto out; } @@ -368,11 +360,27 @@ int delete_set_var(const char *var_name) exit(1); } - free_symtab(var); - out: free_symtab(n); - return rc; + + return var; +} + +/* delete_symbol + * removes an individual variable from the symbol table. We don't + * support this in the language, but for special variables that change + * between profiles, we need this. + */ +int delete_set_var(const char *var_name) +{ + struct symtab *var; + + var = remove_set_var(var_name); + if (var) { + free_symtab(var); + return 0; + } + return ENOENT; } static void *seenlist = NULL; diff --git a/parser/parser_variable.c b/parser/parser_variable.c index a920ce7f1..4e42690eb 100644 --- a/parser/parser_variable.c +++ b/parser/parser_variable.c @@ -339,6 +339,8 @@ static std::string escape_re(std::string str) int process_profile_variables(Profile *prof) { int error = 0, rc; + struct symtab *saved_exec_path = NULL; + struct symtab *saved_attach_path = NULL; /* needs to be before PROFILE_NAME_VARIABLE so that variable will * have the correct name @@ -362,10 +364,12 @@ int process_profile_variables(Profile *prof) * the attachment. */ /* need to take into account alias, but not yet */ + saved_attach_path = remove_set_var(PROFILE_ATTACH_VAR); error = new_set_var(PROFILE_ATTACH_VAR, prof->attachment); if (error) goto cleanup_name; /* update to use kernel vars if available */ + saved_exec_path = remove_set_var(PROFILE_EXEC_VAR); error = new_set_var(PROFILE_EXEC_VAR, prof->attachment); if (error) goto cleanup_attach; @@ -385,12 +389,16 @@ cleanup: rc = delete_set_var(PROFILE_EXEC_VAR); if (!error) error = rc; + if (saved_exec_path) + insert_set_var(saved_exec_path); } cleanup_attach: if (prof->attachment) { rc = delete_set_var(PROFILE_ATTACH_VAR); if (!error) error = rc; + if (saved_attach_path) + insert_set_var(saved_attach_path); } cleanup_name: rc = delete_set_var(PROFILE_NAME_VARIABLE); diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd new file mode 100644 index 000000000..41eee175c --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_09.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto attach_path variable overrides with user defined +#=EXRESULT PASS + +@{attach_path}=/path +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd new file mode 100644 index 000000000..d2baacb81 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_10.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION user @{attach_path} available after override +#=EXRESULT PASS + +@{attach_path}=/path +profile /a/test/profile { + /a/test/profile rix, + + @{attach_path} rwk, + +} + +profile extra { + + @{attach_path} rw, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd new file mode 100644 index 000000000..e21d26c51 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_attach_path_11.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION user @{attach_path} can set attachment and then auto var used +#=EXRESULT PASS + +@{attach_path}=/path +profile @{attach_path} { + /a/test/profile rix, + + @{attach_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd b/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd deleted file mode 100644 index bae584fda..000000000 --- a/parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd +++ /dev/null @@ -1,10 +0,0 @@ -#=DESCRIPTION reference auto attach_path variable collides with user defined -#=EXRESULT FAIL - -@{attach_path}=/BAD -profile /a/test/profile { - /a/test/profile rix, - - @{attach_path} rwk, - -} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd new file mode 100644 index 000000000..2249b4965 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_09.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION reference auto exec_path variable overrides with user defined +#=EXRESULT PASS + +@{exec_path}=/path +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd new file mode 100644 index 000000000..8b32c03a1 --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_10.sd @@ -0,0 +1,16 @@ +#=DESCRIPTION user @{exec_path} available after override +#=EXRESULT PASS + +@{exec_path}=/path +profile /a/test/profile { + /a/test/profile rix, + + @{exec_path} rwk, + +} + +profile extra { + + @{exec_path} rw, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd new file mode 100644 index 000000000..e8a7af8cb --- /dev/null +++ b/parser/tst/simple_tests/vars/vars_auto_exec_path_11.sd @@ -0,0 +1,10 @@ +#=DESCRIPTION user @{exec_path} can set attachment and then auto var used +#=EXRESULT PASS + +@{exec_path}=/path +profile @{exec_path} { + /a/test/profile rix, + + @{exec_path} rwk, + +} diff --git a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd b/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd deleted file mode 100644 index c83653004..000000000 --- a/parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd +++ /dev/null @@ -1,10 +0,0 @@ -#=DESCRIPTION reference auto exec_path variable collides with user defined -#=EXRESULT FAIL - -@{exec_path}=/BAD -profile /a/test/profile { - /a/test/profile rix, - - @{exec_path} rwk, - -} diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index 85cab2fdd..4e29201eb 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -43,10 +43,6 @@ skip_startswith = ( 'vars/vars_auto_attach_path_bad_3.sd', 'vars/vars_auto_exec_path_bad_5.sd', 'vars/vars_auto_attach_path_bad_5.sd', - - # profiles that define an autovar that then gets defined causing a conflict - 'vars/vars_auto_exec_path_bad_4.sd', - 'vars/vars_auto_attach_path_bad_4.sd', ) # testcases that should raise an exception, but don't