2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00

Merge parser: Add support for automatic @{attach_path} variable

Have the parser extract the attachment path from the profile declaration        
and make it available as a local variable within the profile. This allows             
profile rules to use the executable attachment path in rules.                   
                                                                                
eg.                                                                             
```                                                                             
  profile ex /bin/** {                                                          
     @{attach_path} r,                                                          
     # ...                                                                      
  }                                                                             
                                                                                
  profile /path/to/bin {                                                        
     @{attach_path} r,                                                          
     # ...                                                                      
}                                                                               
```                                                                             
                                                                                
if a profile does not define an attachment like                                 
                                                                                
```                                                                             
  profile noattach {                                                            
     @{attach_path} r,                                                          
  }                                                                             
```                                                                             
                                                                                
the apparmor_parser will fail the compile with the error.                       
                                                                                
```                                                                             
  Found reference to variable attach_path, but is never declared                
```                                                                             

While not recommended for rules directly in a profile the above
the undeclared variable error can be avoided in in abstractions
by wrapping the variable in a conditional.

```
if defined @{attach_path} {
   @{attach_path r,
}
```
                                                             
The attachment xattr/label conditionals are not made available at               
this time as regular file path rules can not use them.                          
                                                                                
Similarly a @{exec_path} variable is made available. It is different            
than @{attach_path} in that it is intended to be a kernel variable              
that represents the specific executable that was matched at run                 
time. However to support policy on kernels that don't define the                
kernel variable it has a fallback value that is the same as                     
@{attach_path}.                                                                 
                                                                                
This patch is a follow on to MR:1637 (https://gitlab.com/apparmor/apparmor/-/me\
rge_requests/1637)                                                              
and is similar to how the apparmor.d project uses the manually setup            
@{exec_path} variable.                                                          
                                                                                
We can bike shed over the variable name. @{attach_path} was chosen              
here because this is the attachment conditional path for the                    
executable, not the executable's actual path. While @{exec_path} is             
intended to be the applications actual executable path.                         
support the @{exec_path} kernel variable (all of them atm).                     
                                                                                
Notes:                                                                          
                                                                                
The minimize.sh tests are changed because this patch causes path based          
profile names to create an attachment. This could be done by doing the          
attach_variable expansion in the alternate location marked by the               
patch, but since the kernel is going to start doing this for all                
profiles that don't have an attachment it is better for the parser to           
do it, as it can optimize better.                                               
                                                                                
This patch series may cause breakage if policy declares either
@{attach_path} or @{exec_path} by shadowing those previously declared
variables in the profile block. The previously declared variable
is available in the attachment specification so uses like the
apparmor.d project won't break as it with transfer its variable
value to the attachment which will the transfer that value into
the automatic local var.
                                                                            
Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1643
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2025-05-12 09:08:44 +00:00
commit 93c660e376
320 changed files with 953 additions and 282 deletions

View File

@ -1802,8 +1802,29 @@ site-specific customization of B<@{HOMEDIRS}>,
F</etc/apparmor.d/tunables/multiarch.d> for B<@{multiarch}> and
F</etc/apparmor.d/tunables/xdg-user-dirs.d> for B<@{XDG_*}>.
The special B<@{profile_name}> variable is set to the profile name and may be
used in all policy.
=head3 Special builtin variables
AppArmor has some builtin variables that are not declared in policy
but are available to be used in policy.
@{profile_name} - the profile name
@{attach_path} - the profile exec attachment path - if one has been defined
@{exec_path} - the executables path
The B<@{profile_name}> variable is set to the profile name and may be
used in all policy. It is only defined when used inside of a profile.
The B<@{attach_path}> variable is only defined if the profile will attach
to an executable. It will be the path attachment specification or
if that is not defined it may be the profile's name if the profile name
is a path.
The B<@{exec_path}> variable like B<@{attach_path}> is only defined if
the profile attaches to an executable. If the kernel supports it as a
kernel variable, it will be set to the specific path that matches the
executable at run time. If the kernel does not support kernel variables
it will have the same value as B<@{attach_path}>.
=head3 Notes on variable expansion and the / character

View File

@ -294,9 +294,10 @@ do { \
version; \
})
/* The parser fills this variable in automatically */
/* The parser fills these variable in automatically */
#define PROFILE_NAME_VARIABLE "profile_name"
#define PROFILE_ATTACH_VAR "attach_path"
#define PROFILE_EXEC_VAR "exec_path"
/* from parser_common.c */
extern uint32_t policy_version;
@ -395,6 +396,7 @@ extern const char *basedir;
#define glob_default 0
#define glob_null 1
const char *local_name(const char *name);
extern pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
std::string& pcre, int *first_re_pos);
extern bool build_list_val_expr(std::string& buffer, struct value_list *list);
@ -462,12 +464,27 @@ struct set_value {
char *val;
struct set_value *next;
};
enum var_type {
sd_boolean,
sd_set,
};
struct symtab {
char *var_name;
enum var_type type;
int boolean;
struct set_value *values;
struct set_value *expanded;
};
extern int add_boolean_var(const char *var, int boolean);
extern int get_boolean_var(const char *var);
extern int new_set_var(const char *var, const char *value);
extern int add_set_value(const char *var, const char *value);
extern struct set_value *get_set_var(const char *var);
extern char *get_next_set_value(struct set_value **context);
extern int insert_set_var(struct symtab *var);
extern struct symtab *remove_set_var(const char *var_name);
extern int delete_set_var(const char *var_name);
extern void dump_symtab(void);
extern void dump_expanded_symtab(void);

View File

@ -28,18 +28,6 @@
typedef int (*comparison_fn_t)(const void *, const void *);
typedef void (*__free_fn_t)(void *);
enum var_type {
sd_boolean,
sd_set,
};
struct symtab {
char *var_name;
enum var_type type;
int boolean;
struct set_value *values;
struct set_value *expanded;
};
static void *my_symtab = NULL;
@ -209,12 +197,32 @@ out:
return rc;
}
int insert_set_var(struct symtab *var)
{
struct symtab **result;
result = (struct symtab **) tsearch(var, &my_symtab, (comparison_fn_t) &compare_symtabs);
if (!result) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
return errno;
}
if (*result != var) {
/* already existing variable */
PERROR("'%s' is already defined\n", var->var_name);
return 1;
}
return 0;
}
/* new_set_var
* creates copies of arguments, so caller can free them after use
*/
int new_set_var(const char *var, const char *value)
{
struct symtab *n, **result;
struct symtab *n;
int rc = 0;
n = new_symtab_entry(var);
@ -226,21 +234,9 @@ int new_set_var(const char *var, const char *value)
n->type = sd_set;
add_to_set(&(n->values), value);
result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
if (!result) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
rc = errno;
goto err;
}
if (*result != n) {
/* already existing variable */
PERROR("'%s' is already defined\n", var);
rc = 1;
goto err;
}
return 0;
rc = insert_set_var(n);
if (! rc)
return 0;
err:
free_symtab(n);
@ -331,25 +327,21 @@ char *get_next_set_value(struct set_value **list)
return ret;
}
/* delete_symbol
* removes an individual variable from the symbol table. We don't
* support this in the language, but for special variables that change
* between profiles, we need this.
*/
int delete_set_var(const char *var_name)
struct symtab *remove_set_var(const char *var_name)
{
int rc = 0;
struct symtab **result, *n, *var;
struct symtab **result, *n, *var = NULL;
n = new_symtab_entry(var_name);
if (!n) {
rc = ENOMEM;
//rc = ENOMEM;
goto out;
}
result = (struct symtab **) tfind(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
if (!result) {
/* XXX Warning? */
//rc = ENOENT;
goto out;
}
@ -368,11 +360,27 @@ int delete_set_var(const char *var_name)
exit(1);
}
free_symtab(var);
out:
free_symtab(n);
return rc;
return var;
}
/* delete_symbol
* removes an individual variable from the symbol table. We don't
* support this in the language, but for special variables that change
* between profiles, we need this.
*/
int delete_set_var(const char *var_name)
{
struct symtab *var;
var = remove_set_var(var_name);
if (var) {
free_symtab(var);
return 0;
}
return ENOENT;
}
static void *seenlist = NULL;

View File

@ -295,8 +295,22 @@ static int process_variables_in_name(Profile &prof)
* setup
*/
int error = expand_entry_variables(&prof.name);
if (!error && prof.attachment)
error = expand_entry_variables(&prof.attachment);
if (!error) {
if (prof.attachment)
error = expand_entry_variables(&prof.attachment);
else if (prof.name[0] == '/') {
/* had to wait to do this until after processing the
* variables in the profile name
*/
prof.attachment = strdup(local_name(prof.name));
if (!prof.attachment) {
errno = ENOMEM;
return -1;
}
filter_slashes(prof.attachment);
}
}
if (!error && prof.flags.disconnected_path)
error = process_variable_in_attach_disconnected(&prof.flags.disconnected_path);
if (!error && prof.flags.disconnected_ipc)
@ -325,29 +339,73 @@ static std::string escape_re(std::string str)
int process_profile_variables(Profile *prof)
{
int error = 0, rc;
struct symtab *saved_exec_path = NULL;
struct symtab *saved_attach_path = NULL;
/* needs to be before PROFILE_NAME_VARIABLE so that variable will
* have the correct name
*/
error = process_variables_in_name(*prof);
if (!error) {
/* escape profile name elements that could be interpreted
* as regular expressions.
if (error)
goto out;
/* escape profile name elements that could be interpreted as
* regular expressions.
*/
error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
if (error)
goto out;
if (prof->attachment) {
/* IF we didn't want a path based profile name to generate
* an attachment. The code could be moved here. Add the
* output fed into the vars directly instead of setting
* the attachment.
*/
error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
/* need to take into account alias, but not yet */
saved_attach_path = remove_set_var(PROFILE_ATTACH_VAR);
error = new_set_var(PROFILE_ATTACH_VAR, prof->attachment);
if (error)
goto cleanup_name;
/* update to use kernel vars if available */
saved_exec_path = remove_set_var(PROFILE_EXEC_VAR);
error = new_set_var(PROFILE_EXEC_VAR, prof->attachment);
if (error)
goto cleanup_attach;
}
if (!error)
error = process_variables_in_entries(prof->entries);
if (!error)
error = process_variables_in_rules(*prof);
error = process_variables_in_entries(prof->entries);
if (error)
goto cleanup;
error = process_variables_in_rules(*prof);
cleanup:
/* ideally these variables would be local scoped and we would not
* have to clean them up here, but unfortunately variables
* don't support that yet.
*/
if (prof->attachment) {
rc = delete_set_var(PROFILE_EXEC_VAR);
if (!error)
error = rc;
if (saved_exec_path)
insert_set_var(saved_exec_path);
}
cleanup_attach:
if (prof->attachment) {
rc = delete_set_var(PROFILE_ATTACH_VAR);
if (!error)
error = rc;
if (saved_attach_path)
insert_set_var(saved_attach_path);
}
cleanup_name:
rc = delete_set_var(PROFILE_NAME_VARIABLE);
if (!error)
error = rc;
out:
return error;
}

View File

@ -971,6 +971,144 @@ verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \
#### end of wrapper fn
}
test_parser_variables()
{
######## @{profile_name} #######
verify_binary_equality "@{profile_name} expands correctly" \
"/t { @{profile_name} r, }" \
"/t { /t r, }"
verify_binary_equality "@{profile_name} expands correcly - filter /" \
"/t { /r/@{profile_name} r, }" \
"/t { /r/t r, }"
verify_binary_equality "@{profile_name} expands correcly - add globbing" \
"/t { @{profile_name}/** r, }" \
"/t { /t/** r, }"
#re expression are escaped in profile names so /t/* becomes /t/\*
verify_binary_inequality "@{profile_name} w/pat expands correctly" \
"/t/* { @{profile_name} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{profile_name} w/pat expands correctly" \
"/t/* { @{profile_name} r, }" \
"/t/* { /t/\* r, }"
verify_binary_inequality "@{profile_name} w/pat expands correcly - filter /" \
"/t/* { @{profile_name} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{profile_name} w/pat expands correcly - filter /" \
"/t/* { @{profile_name}/a r, }" \
"/t/* { /t/\*/a r, }"
verify_binary_inequality "@{profile_name} w/pat expands correcly - add globbing" \
"/t/* { @{profile_name}/** r, }" \
"/t/* { /t/*/** r, }"
verify_binary_equality "@{profile_name} w/pat expands correcly - add globbing" \
"/t/** { @{profile_name}/** r, }" \
"/t/** { /t/\*\*/** r, }"
######## @{attach_path} #######
verify_binary_equality "@{attach_path} expands correctly" \
"/t { @{attach_path} r, }" \
"/t { /t r, }"
verify_binary_equality "@{attach_path} expands correcly - filter /" \
"/t { /r/@{attach_path} r, }" \
"/t { /r/t r, }"
verify_binary_equality "@{attach_path} expands correcly - add globbing" \
"/t { @{attach_path}/** r, }" \
"/t { /t/** r, }"
verify_binary_equality "@{attach_path} w/pat expands correctly" \
"/t/* { @{attach_path} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{attach_path} w/pat expands correcly - filter /" \
"/t/* { @{attach_path} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{attach_path} w/pat expands correcly - add globbing" \
"/t/* { @{attach_path}/** r, }" \
"/t/* { /t/*/** r, }"
verify_binary_equality "@{attach_path} w/attachment expands correctly" \
"profile a /t { @{attach_path} r, }" \
"profile a /t { /t r, }"
verify_binary_equality "@{attach_path} w/attachment expands correcly - filter /" \
"profile a /t { /r/@{attach_path} r, }" \
"profile a /t { /r/t r, }"
verify_binary_equality "@{attach_path} w/attachment expands correcly - add globbing" \
"profile a /t { @{attach_path}/** r, }" \
"profile a /t { /t/** r, }"
verify_binary_equality "@{attach_path} w/attachment w/pat expands correctly" \
"profile a /t/* { @{attach_path} r, }" \
"profile a /t/* { /t/* r, }"
verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - filter /" \
"profile a /t/* { @{attach_path} r, }" \
"profile a /t/* { /t/* r, }"
verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - add globbing" \
"profile a /t/* { @{attach_path}/** r, }" \
"profile a /t/* { /t/*/** r, }"
######## @{exec_path} #######
verify_binary_equality "@{exec_path} expands correctly" \
"/t { @{exec_path} r, }" \
"/t { /t r, }"
verify_binary_equality "@{exec_path} expands correcly - filter /" \
"/t { /r/@{exec_path} r, }" \
"/t { /r/t r, }"
verify_binary_equality "@{exec_path} expands correcly - add globbing" \
"/t { @{exec_path}/** r, }" \
"/t { /t/** r, }"
verify_binary_equality "@{exec_path} w/pat expands correctly" \
"/t/* { @{exec_path} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{exec_path} w/pat expands correcly - filter /" \
"/t/* { @{exec_path} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{exec_path} w/pat expands correcly - add globbing" \
"/t/* { @{exec_path}/** r, }" \
"/t/* { /t/*/** r, }"
verify_binary_equality "@{exec_path} w/attachment expands correctly" \
"profile a /t { @{exec_path} r, }" \
"profile a /t { /t r, }"
verify_binary_equality "@{exec_path} w/attachment expands correcly - filter /" \
"profile a /t { /r/@{exec_path} r, }" \
"profile a /t { /r/t r, }"
verify_binary_equality "@{exec_path} w/attachment expands correcly - add globbing" \
"profile a /t { @{exec_path}/** r, }" \
"profile a /t { /t/** r, }"
verify_binary_equality "@{exec_path} w/attachment w/pat expands correctly" \
"profile a /t/* { @{exec_path} r, }" \
"profile a /t/* { /t/* r, }"
verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - filter /" \
"profile a /t/* { @{exec_path} r, }" \
"profile a /t/* { /t/* r, }"
verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - add globbing" \
"profile a /t/* { @{exec_path}/** r, }" \
"profile a /t/* { /t/*/** r, }"
}
run_tests()
{
@ -1082,6 +1220,8 @@ run_tests()
"@{BAR}=bin/ \#value
/t { /@{BAR} r, }"
test_parser_variables
# verify combinations of different priority levels
# for single rule comparisons, rules should keep same expected result
# even when the priorities are different.

View File

@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
# {a} (0x 40030/0/0/0)
echo -n "Minimize profiles basic perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed"
exit 1;
fi
@ -93,7 +93,7 @@ echo "ok"
# {9} (0x 12804a/0/2800a/0)
# {c} (0x 40030/0/0/0)
echo -n "Minimize profiles audit perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed"
exit 1;
fi
@ -112,7 +112,7 @@ echo "ok"
# {c} (0x 40030/0/0/0)
echo -n "Minimize profiles deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed"
exit 1;
fi
@ -130,7 +130,7 @@ echo "ok"
# {c} (0x 40030/0/0/0)
echo -n "Minimize profiles audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
echo "failed"
exit 1;
fi
@ -155,7 +155,7 @@ echo "ok"
## NOTE: change count from 6 to 7 when extend perms is not dependent on
## prompt rules being present
echo -n "Minimize profiles extended no-filter audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
echo "failed"
exit 1;
fi
@ -173,7 +173,7 @@ echo "ok"
# {2} (0x 4/0//0/0/0) <- from policydb still showing up bug
echo -n "Minimize profiles extended filter audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed"
exit 1;
fi
@ -208,7 +208,7 @@ echo "ok"
#
echo -n "Minimize profiles xtrans "
if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
if [ "$(echo "profile t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
echo "failed"
exit 1;
fi
@ -216,7 +216,7 @@ echo "ok"
# same test as above + audit
echo -n "Minimize profiles audit xtrans "
if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
if [ "$(echo "profile t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
echo "failed"
exit 1;
fi
@ -229,7 +229,7 @@ echo "ok"
# {3} (0x 0/fe17f85/0/14005)
echo -n "Minimize profiles deny xtrans "
if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
if [ "$(echo "profile t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
echo "failed"
exit 1;
fi
@ -241,7 +241,7 @@ echo "ok"
# {3} (0x 0/fe17f85/0/0)
echo -n "Minimize profiles audit deny xtrans "
if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
if [ "$(echo "profile t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
echo "failed"
exit 1;
fi

View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto attach_path variable in rules
#=EXRESULT PASS
profile /a/test/profile {
/a/test/profile rix,
@{attach_path} rwk,
}

View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto atach_path variable in rules
#=EXRESULT PASS
profile this_is_a_test /a/test/profile {
/a/test/profile rix,
/run/@{attach_path}/tmp rwk,
}

View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto attach_path from profile
#=EXRESULT PASS
/test/profile {
/test/profile rix,
/run/@{attach_path}/tmp rwk,
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto attach_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile spork /a/*/c {
@{attach_path}/** rw,
}
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto attach_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile /a/b/c {
@{attach_path}/** rw,
}
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto attach_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile /a/*/c {
@{attach_path}/** rw,
}
}

View File

@ -0,0 +1,20 @@
#=DESCRIPTION ensure attach_path expansion after subprofiles works
#=EXRESULT PASS
profile top_profile /test/profile {
/first/path/@{attach_path}/tmp rwk,
profile spork {
owner /tmp/* r,
/run/@{profile_name}/** rw,
}
hat spelunkk {
owner /tmp/* r,
/run/@{profile_name}/** rw,
}
# Does this expand properly?
/second/path/@{attach_path}/tmp rk,
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto attach_path variable overrides with user defined
#=EXRESULT PASS
@{attach_path}=/path
profile /a/test/profile {
/a/test/profile rix,
@{attach_path} rwk,
}

View File

@ -0,0 +1,16 @@
#=DESCRIPTION user @{attach_path} available after override
#=EXRESULT PASS
@{attach_path}=/path
profile /a/test/profile {
/a/test/profile rix,
@{attach_path} rwk,
}
profile extra {
@{attach_path} rw,
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION user @{attach_path} can set attachment and then auto var used
#=EXRESULT PASS
@{attach_path}=/path
profile @{attach_path} {
/a/test/profile rix,
@{attach_path} rwk,
}

View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto @{attach_path} variable in rules when not created
#=EXRESULT FAIL
test/profile {
/a/test/profile rix,
mr @{attach_path},
}

View File

@ -0,0 +1,12 @@
#=DESCRIPTION reference auto attach_path from profile
#=EXRESULT FAIL
/test/profile {
/test/profile rix,
# hat does not have an attachment and profile's attachment doesn't apply
^spork {
owner /tmp/* r,
/spork/@{attach_path}/** rw,
}
}

View File

@ -0,0 +1,16 @@
#=DESCRIPTION ensure attach_path expansion after subprofiles works
#=EXRESULT FAIL
profile top_profile /test/profile {
/first/path/@{attach_path}/tmp rwk,
# subprofile doesn't have attach_pathes
hat spelunkk {
owner /tmp/* r,
/run/@{attach_path}/** rw,
}
# Does this expand properly?
/second/path/@{attach_path}/tmp rk,
}

View File

@ -0,0 +1,11 @@
#=DESCRIPTION reference auto attach_path variable in rules w/hats
#=EXRESULT FAIL
profile idf3s2A6GX8vrk /simple/profile {
/test/profile rix,
^test {
/run/@{attach_path}/tmp rwk,
}
}

View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto exec_path variable in rules
#=EXRESULT PASS
profile /a/test/profile {
/a/test/profile rix,
@{exec_path} rwk,
}

View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto exec_path variable in rules
#=EXRESULT PASS
profile this_is_a_test /a/test/profile {
/a/test/profile rix,
/run/@{exec_path}/tmp rwk,
}

View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto exec_path from profile
#=EXRESULT PASS
/test/profile {
/test/profile rix,
/run/@{exec_path}/tmp rwk,
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto exec_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile spork /a/*/c {
@{exec_path}/** rw,
}
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto exec_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile /a/b/c {
@{exec_path}/** rw,
}
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto exec_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile /a/*/c {
@{exec_path}/** rw,
}
}

View File

@ -0,0 +1,20 @@
#=DESCRIPTION ensure exec_path expansion after subprofiles works
#=EXRESULT PASS
profile top_profile /test/profile {
/first/path/@{exec_path}/tmp rwk,
profile spork {
owner /tmp/* r,
/run/@{profile_name}/** rw,
}
hat spelunkk {
owner /tmp/* r,
/run/@{profile_name}/** rw,
}
# Does this expand properly?
/second/path/@{exec_path}/tmp rk,
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto exec_path variable overrides with user defined
#=EXRESULT PASS
@{exec_path}=/path
profile /a/test/profile {
/a/test/profile rix,
@{exec_path} rwk,
}

View File

@ -0,0 +1,16 @@
#=DESCRIPTION user @{exec_path} available after override
#=EXRESULT PASS
@{exec_path}=/path
profile /a/test/profile {
/a/test/profile rix,
@{exec_path} rwk,
}
profile extra {
@{exec_path} rw,
}

View File

@ -0,0 +1,10 @@
#=DESCRIPTION user @{exec_path} can set attachment and then auto var used
#=EXRESULT PASS
@{exec_path}=/path
profile @{exec_path} {
/a/test/profile rix,
@{exec_path} rwk,
}

View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto @{exec_path} variable in rules when not created
#=EXRESULT FAIL
test/profile {
/a/test/profile rix,
mr @{exec_path},
}

View File

@ -0,0 +1,12 @@
#=DESCRIPTION reference auto exec_path from profile
#=EXRESULT FAIL
/test/profile {
/test/profile rix,
# hat does not have an attachment and profile's attachment doesn't apply
^spork {
owner /tmp/* r,
/spork/@{exec_path}/** rw,
}
}

View File

@ -0,0 +1,16 @@
#=DESCRIPTION ensure exec_path expansion after subprofiles works
#=EXRESULT FAIL
profile top_profile /test/profile {
/first/path/@{exec_path}/tmp rwk,
# subprofile doesn't have exec_pathes
hat spelunkk {
owner /tmp/* r,
/run/@{exec_path}/** rw,
}
# Does this expand properly?
/second/path/@{exec_path}/tmp rk,
}

View File

@ -0,0 +1,11 @@
#=DESCRIPTION reference auto exec_path variable in rules w/hats
#=EXRESULT FAIL
profile idf3s2A6GX8vrk /simple/profile {
/test/profile rix,
^test {
/run/@{exec_path}/tmp rwk,
}
}

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile 1password /opt/1Password/1password flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/1password>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile Discord /usr/share/discord/Discord flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/Discord>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile "MongoDB Compass" "/usr/lib/mongodb-compass/MongoDB Compass" flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/MongoDB_Compass>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile QtWebEngineProcess /usr/lib/@{multiarch}/qt{5,6}/libexec/QtWebEngineProcess flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/QtWebEngineProcess>

View File

@ -58,7 +58,7 @@ profile Xorg /usr/lib/xorg/Xorg flags=(attach_disconnected, complain) {
/{,usr/}bin/{bash,dash,sh} ix,
/usr/bin/xkbcomp ix,
/usr/lib/xorg/Xorg mr,
@{exec_path} mr,
@{PROC}/cmdline r,
@{PROC}/@{pid}/cmdline r,

View File

@ -10,7 +10,7 @@ profile alsamixer /{usr,}/bin/alsamixer {
include <abstractions/dbus-session-strict>
/{usr,}/bin/alsamixer mr,
@{exec_path} mr,
@{sys}/devices/virtual/dmi/id/sys_vendor r,

View File

@ -17,7 +17,7 @@ profile babeld /usr/lib/frr/babeld flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/frr>
/usr/lib/frr/babeld mr,
@{exec_path} mr,
@{run}/frr/babel-state w,
# Site-specific additions and overrides. See local/README for details.

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile balena-etcher /usr/lib/balena-etcher/balena-etcher flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/balena-etcher>

View File

@ -21,7 +21,7 @@ profile bfdd /usr/lib/frr/bfdd flags=(attach_disconnected) {
capability sys_admin,
/usr/lib/frr/bfdd mr,
@{exec_path} mr,
@{run}/netns/* r,
@{run}/frr/bfdd.sock w,

View File

@ -21,7 +21,7 @@ profile bgpd /usr/lib/frr/bgpd flags=(attach_disconnected) {
capability net_raw,
capability sys_admin,
/usr/lib/frr/bgpd mr,
@{exec_path} mr,
@{run}/netns/* r,

View File

@ -22,7 +22,7 @@ profile ping /{usr/,}bin/{,iputils-}ping {
network inet raw,
network inet6 raw,
/{usr/,}bin/{,iputils-}ping mixr,
@{exec_path} mixr,
/etc/modules.conf r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile brave /opt/brave.com/brave/brave flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/brave>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile buildah /usr/bin/buildah flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/buildah>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile busybox /usr/bin/busybox flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/busybox>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile cam /usr/bin/cam flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/cam>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile ch-checkns /usr/bin/ch-checkns flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/ch-checkns>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile ch-run /usr/bin/ch-run flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/ch-run>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile chrome /opt/google/chrome/chrome flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/chrome>

View File

@ -8,6 +8,7 @@ include <tunables/global>
profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/chromium>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile vscode /usr/share/code{/bin,}/code flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/code>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile crun /usr/bin/crun flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/crun>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile devhelp /usr/bin/devhelp flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/devhelp>

View File

@ -19,7 +19,7 @@ profile eigrpd /usr/lib/frr/eigrpd flags=(attach_disconnected) {
capability net_raw,
/usr/lib/frr/eigrpd mr,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/eigrpd>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile element-desktop /opt/Element/element-desktop flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/element-desktop>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile epiphany /usr/bin/epiphany{,-browser} flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/epiphany>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile evolution /usr/bin/evolution flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/evolution>

View File

@ -17,7 +17,7 @@ profile fabricd /usr/lib/frr/fabricd flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/frr>
/usr/lib/frr/fabricd mr,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/fabricd>

View File

@ -7,6 +7,8 @@ include <tunables/global>
profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/firefox>
}

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile flatpak /usr/bin/flatpak flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/flatpak>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile foliate /usr/bin/foliate flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/foliate>

View File

@ -36,7 +36,7 @@ profile fusermount3 /usr/bin/fusermount3 {
@{etc_ro}/fuse.conf r,
@{PROC}/@{pid}/mounts r,
/usr/bin/fusermount3 mr,
@{exec_path} mr,
include if exists <local/fusermount3>
}

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile geary /usr/bin/geary flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/geary>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile github-desktop /usr/lib/github-desktop/github-desktop flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/github-desktop>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile goldendict /usr/bin/goldendict flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/goldendict>

View File

@ -15,7 +15,7 @@ profile iotop-c /usr/sbin/iotop-c {
/proc/*/cmdline r,
/proc/*/task/ r,
/usr/sbin/iotop-c mr,
@{exec_path} mr,
/proc/ r,
/proc/sys/kernel/task_delayacct rw,
/proc/vmstat r,

View File

@ -3,13 +3,12 @@ abi <abi/4.0>,
include <tunables/global>
@{arg1}=/**/*.so
profile ipa_verify /usr/bin/ipa_verify {
include <abstractions/base>
# Until we can replace arg1 above with real arg parsing
include <abstractions/private-files-strict>
/usr/bin/ipa_verify r,
@{exec_path} mr,
# Probably enumerated by libcamera initialization but not needed for this tool's functionality
deny /sys/devices/system/node/ r,

View File

@ -20,7 +20,7 @@ profile isisd /usr/lib/frr/isisd flags=(attach_disconnected) {
capability net_raw,
/usr/lib/frr/isisd mr,
@{exec_path} mr,
/var/lib/frr/ r,
/var/lib/frr/isisd.json{,.sav} rw,

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile kchmviewer /usr/bin/kchmviewer flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/kchmviewer>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile keybase /opt/keybase/Keybase flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/keybase>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile lc-compliance /usr/bin/lc-compliance flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/lc-compliance>

View File

@ -18,7 +18,7 @@ profile ldpd /usr/lib/frr/ldpd flags=(attach_disconnected) {
include <abstractions/frr>
include <abstractions/frr-snmp>
/usr/lib/frr/ldpd ix,
@{exec_path} mrix,
@{run}/frr/ldpd.sock rw,
# Site-specific additions and overrides. See local/README for details.

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile libcamerify /usr/bin/libcamerify flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/libcamerify>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile linux-sandbox /usr/libexec/@{multiarch}/bazel/linux-sandbox flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/linux-sandbox>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile loupe /usr/bin/loupe flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/loupe>

View File

@ -18,7 +18,6 @@ profile lsb_release {
/dev/tty rw,
/usr/bin/lsb_release r,
/usr/bin/python3.{1,}[0-9] mr,
/etc/debian_version r,

View File

@ -17,7 +17,7 @@ profile lsblk /usr/bin/lsblk {
include <abstractions/consoles>
include <abstractions/nameservice-strict>
/usr/bin/lsblk mr,
@{exec_path} mr,
@{sys}/block/ r,
@{sys}/class/block/ r,

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile lxc-attach /usr/bin/lxc-attach flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/lxc-attach>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile lxc-create /usr/bin/lxc-create flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/lxc-create>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile lxc-destroy /usr/bin/lxc-destroy flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/lxc-destroy>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile lxc-execute /usr/bin/lxc-execute flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/lxc-execute>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile lxc-stop /usr/bin/lxc-stop flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/lxc-stop>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile lxc-unshare /usr/bin/lxc-unshare flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/lxc-unshare>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile lxc-usernsexec /usr/bin/lxc-usernsexec flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/lxc-usernsexec>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile mmdebstrap /usr/bin/mmdebstrap flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/mmdebstrap>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile msedge /opt/microsoft/msedge/msedge flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/msedge>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile nautilus /usr/bin/nautilus flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/nautilus>

View File

@ -20,7 +20,7 @@ profile nhrpd /usr/lib/frr/nhrpd flags=(attach_disconnected) {
capability net_raw,
capability net_admin,
/usr/lib/frr/nhrpd mr,
@{exec_path} mr,
/usr/bin/dash ix,
@{PROC}/sys/net/ipv4/conf/*/send_redirects w,

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile notepadqq /{{usr/bin,etc/alternatives}/notepadqq,usr/lib/notepadqq/notepadqq.sh} flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/notepadqq>

View File

@ -16,8 +16,6 @@ profile nvidia_modprobe {
# Main executable
/usr/bin/nvidia-modprobe mr,
# Other executables
/usr/bin/kmod Cx -> kmod,

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile obsidian /opt/Obsidian/obsidian flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/obsidian>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile opam /usr/bin/opam flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/opam>

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile opera /usr/lib/@{multiarch}/opera/opera flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/opera>

View File

@ -21,7 +21,7 @@ profile ospf6d /usr/lib/frr/ospf6d flags=(attach_disconnected) {
capability net_raw,
capability sys_admin,
/usr/lib/frr/ospf6d mr,
@{exec_path} mr,
@{run}/netns/* r,

View File

@ -21,7 +21,7 @@ profile ospfd /usr/lib/frr/ospfd flags=(attach_disconnected) {
capability net_raw,
capability sys_admin,
/usr/lib/frr/ospfd mr,
@{exec_path} mr,
@{run}/netns/* r,

View File

@ -6,6 +6,7 @@ include <tunables/global>
profile pageedit /usr/bin/pageedit flags=(unconfined) {
userns,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/pageedit>

View File

@ -17,7 +17,7 @@ profile pathd /usr/lib/frr/pathd flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/frr>
/usr/lib/frr/pathd mr,
@{exec_path} mr,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/pathd>

Some files were not shown because too many files have changed in this diff Show More