profiles: support distributions which merge sbin into bin

Closes #8

profiles/apparmor.d/abstractions/apache2-common

@@ -7,9 +7,9 @@
   # Allow unconfined processes to send us signals by default
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default
-  signal (receive) peer=/usr/sbin/apache2,
+  signal (receive) peer=/usr/{bin,sbin}/apache2,
   # Allow other hats to signal by default
-  signal peer=/usr/sbin/apache2//*,
+  signal peer=/usr/{bin,sbin}/apache2//*,
   # Allow us to signal ourselves
   signal peer=@{profile_name},
 

profiles/apparmor.d/abstractions/dovecot-common

@@ -14,6 +14,6 @@
   deny capability block_suspend,
 
   # dovecot's master can send us signals
-  signal receive peer=/usr/sbin/dovecot,
+  signal receive peer=/usr/{bin,sbin}/dovecot,
 
   /{var/,}run/dovecot/config rw,

profiles/apparmor.d/abstractions/ubuntu-helpers

@@ -49,9 +49,7 @@ profile sanitized_helper {
 
   # Allow exec of anything, but under this profile. Allow transition
   # to other profiles if they exist.
-  /{usr/,}bin/* Pixr,
+  /{usr/,usr/local/,}{bin,sbin}/* Pixr,
-  /{usr/,}sbin/* Pixr,
-  /usr/local/bin/* Pixr,
 
   # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
   /usr/{,local/}lib*/{,**/}* Pixr,

profiles/apparmor.d/sbin.klogd

@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-profile klogd /{usr/,}sbin/klogd {
+profile klogd /{usr/,}{bin,sbin}/klogd {
   #include <abstractions/base>
 
   capability sys_admin, # for backward compatibility with kernel <= 2.6.37
@@ -21,10 +21,10 @@ profile klogd /{usr/,}sbin/klogd {
 
   /boot/System.map*     r,
   @{PROC}/kmsg		r,
-  @{PROC}/kallsyms		r,
+  @{PROC}/kallsyms	r,
   /dev/tty		rw,
 
-  /{usr/,}sbin/klogd		rmix,
+  /{usr/,}{bin,sbin}/klogd	rmix,
   /var/log/boot.msg     rwl,
   /{,var/}run/klogd.pid    krwl,
   /{,var/}run/klogd/klogd.pid krwl,

profiles/apparmor.d/sbin.syslog-ng

@@ -15,7 +15,7 @@
 #define this to be where syslog-ng is chrooted
 @{CHROOT_BASE}=""
 
-profile syslog-ng /{usr/,}sbin/syslog-ng {
+profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
@@ -46,7 +46,7 @@ profile syslog-ng /{usr/,}sbin/syslog-ng {
   @{PROC}/kmsg r,
   /etc/hosts.deny r,
   /etc/hosts.allow r,
-  /{usr/,}sbin/syslog-ng mr,
+  /{usr/,}{bin,sbin}/syslog-ng mr,
   /sys/devices/system/cpu/online r,
   /usr/share/syslog-ng/** r,
   /var/lib/syslog-ng/syslog-ng-?????.qf rw,

profiles/apparmor.d/sbin.syslogd

@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-profile syslogd /{usr/,}sbin/syslogd {
+profile syslogd /{usr/,}{bin,sbin}/syslogd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/consoles>
@@ -32,7 +32,7 @@ profile syslogd /{usr/,}sbin/syslogd {
   /dev/tty*                     w,
   /dev/xconsole                 rw,
   /etc/syslog.conf              r,
-  /{usr/,}sbin/syslogd                 rmix,
+  /{usr/,}{bin,sbin}/syslogd    rmix,
   /var/log/**                   rw,
   /{,var/}run/syslogd.pid          krwl,
   /{,var/}run/utmp                 rw,

profiles/apparmor.d/usr.lib.dovecot.dovecot-lda

@@ -29,7 +29,7 @@
   /run/dovecot/auth-userdb rw,
   /usr/bin/doveconf mrix,
   /usr/lib/dovecot/dovecot-lda mrix,
-  /usr/sbin/sendmail Cx,
+  /usr/{bin,sbin}/sendmail Cx,
   /usr/share/dovecot/protocols.d/ r,
   /usr/share/dovecot/protocols.d/** r,
 
@@ -37,7 +37,7 @@
   #include <local/usr.lib.dovecot.dovecot-lda>
 
 
-  profile /usr/sbin/sendmail flags=(attach_disconnected) {
+  profile /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
     # this profile is based on the usr.sbin.sendmail profile in extras
     # and should support both postfix' and sendmail's sendmail binary
 
@@ -70,13 +70,13 @@
     /usr/lib/postfix/master Px,
     /usr/lib/postfix/showq Px,
     /usr/lib/postfix/smtpd Px,
-    /usr/sbin/postalias Px,
+    /usr/{bin,sbin}/postalias Px,
-    /usr/sbin/postdrop Px,
+    /usr/{bin,sbin}/postdrop Px,
-    /usr/sbin/postfix Px,
+    /usr/{bin,sbin}/postfix Px,
-    /usr/sbin/postqueue Px,
+    /usr/{bin,sbin}/postqueue Px,
-    /usr/sbin/sendmail mrix,
+    /usr/{bin,sbin}/sendmail mrix,
-    /usr/sbin/sendmail.postfix mrix,
+    /usr/{bin,sbin}/sendmail.postfix mrix,
-    /usr/sbin/sendmail.sendmail mrix,
+    /usr/{bin,sbin}/sendmail.sendmail mrix,
     /{var/,}run/sendmail.pid rwl,
     /{var/,}run/sm-client.pid rwl,
     /{var/,}run/utmp rw,

profiles/apparmor.d/usr.sbin.apache2

@@ -1,7 +1,7 @@
 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
 
 #include <tunables/global>
-/usr/sbin/apache2 flags=(attach_disconnected) {
+/usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
 
   # This profile is completely permissive.
   # It is designed to target specific applications using mod_apparmor,

profiles/apparmor.d/usr.sbin.avahi-daemon

@@ -1,5 +1,5 @@
 #include <tunables/global>
-/usr/sbin/avahi-daemon {
+/usr/{bin,sbin}/avahi-daemon {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/dbus>
@@ -20,7 +20,7 @@
   /etc/avahi/services/ r,
   /etc/avahi/services/*.service r,
   @{PROC}/@{pid}/fd/ r,
-  /usr/sbin/avahi-daemon mr,
+  /usr/{bin,sbin}/avahi-daemon mr,
   /usr/share/avahi/introspection/*.introspect r,
   /usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
   /{,var/}run/avahi-daemon/ w,

profiles/apparmor.d/usr.sbin.dnsmasq

@@ -12,7 +12,7 @@
 @{TFTP_DIR}=/var/tftp /srv/tftpboot
 
 #include <tunables/global>
-/usr/sbin/dnsmasq flags=(attach_disconnected) {
+profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/dbus>
   #include <abstractions/nameservice>
@@ -27,8 +27,8 @@
   network inet raw,
   network inet6 raw,
 
-  signal (receive) peer=/usr/sbin/libvirtd,
+  signal (receive) peer=/usr/{bin,sbin}/libvirtd,
-  ptrace (readby) peer=/usr/sbin/libvirtd,
+  ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
 
   owner /dev/tty rw,
 
@@ -41,7 +41,7 @@
   /etc/NetworkManager/dnsmasq.d/ r,
   /etc/NetworkManager/dnsmasq.d/* r,
 
-  /usr/sbin/dnsmasq mr,
+  /usr/{bin,sbin}/dnsmasq mr,
 
   /{,var/}run/*dnsmasq*.pid w,
   /{,var/}run/dnsmasq-forwarders.conf r,

profiles/apparmor.d/usr.sbin.dovecot

@@ -12,7 +12,7 @@
 
 #include <tunables/global>
 
-/usr/sbin/dovecot flags=(attach_disconnected) {
+/usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
@@ -55,7 +55,7 @@
   /usr/lib/dovecot/ssl-build-param rix,
   /usr/lib/dovecot/ssl-params mrPx,
   /usr/lib/dovecot/stats Px,
-  /usr/sbin/dovecot mrix,
+  /usr/{bin,sbin}/dovecot mrix,
   /usr/share/dovecot/protocols.d/   r,
   /usr/share/dovecot/protocols.d/** r,
   /var/lib/dovecot/ w,

profiles/apparmor.d/usr.sbin.identd

@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-/usr/sbin/identd {
+/usr/{bin,sbin}/identd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   capability net_bind_service,
@@ -20,7 +20,7 @@
   /etc/identd.conf         r,
   /etc/identd.key          r,
   /etc/identd.pid          w,
-  /usr/sbin/identd	   rmix,
+  /usr/{bin,sbin}/identd   rmix,
   @{PROC}/net/tcp          r,
   @{PROC}/net/tcp6         r,
   /{,var/}run/identd.pid   w,

profiles/apparmor.d/usr.sbin.mdnsd

@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-/usr/sbin/mdnsd {
+/usr/{bin,sbin}/mdnsd {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
@@ -24,7 +24,7 @@
 
   network netlink dgram,
 
-  /usr/sbin/mdnsd rmix,
+  /usr/{bin,sbin}/mdnsd rmix,
 
   @{PROC}/net/ r,
   @{PROC}/net/unix r,

profiles/apparmor.d/usr.sbin.nmbd

@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/sbin/nmbd {
+/usr/{bin,sbin}/nmbd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/samba>
@@ -9,7 +9,7 @@
 
   @{PROC}/sys/kernel/core_pattern r,
 
-  /usr/sbin/nmbd mr,
+  /usr/{bin,sbin}/nmbd mr,
 
   /var/cache/samba/gencache.tdb rwk,
   /var/{cache,lib}/samba/browse.dat* rw,

profiles/apparmor.d/usr.sbin.nscd

@@ -10,7 +10,7 @@
 # ------------------------------------------------------------------
 
 #include <tunables/global>
-/usr/sbin/nscd {
+/usr/{bin,sbin}/nscd {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
@@ -23,7 +23,7 @@
 
   /etc/netgroup r,
   /etc/nscd.conf r,
-  /usr/sbin/nscd rmix,
+  /usr/{bin,sbin}/nscd rmix,
   /{,var/}run/.nscd_socket wl,
   /{,var/}run/nscd/ rw,
   /{,var/}run/nscd/db* rwl,

profiles/apparmor.d/usr.sbin.ntpd

@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 #include <tunables/ntpd>
-/usr/sbin/ntpd flags=(attach_disconnected) {
+/usr/{bin,sbin}/ntpd flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/openssl>
@@ -40,7 +40,7 @@
 
   /tmp/ntp* rwl,
   /{usr/,usr/local/,}{s,}bin/ r,
-  /usr/sbin/ntpd rmix,
+  /usr/{bin,sbin}/ntpd rmix,
   /var/lib/ntp/drift rwl,
   /var/lib/ntp/drift.TEMP rwl,
   /var/lib/ntp/drift/driftfile rw,

profiles/apparmor.d/usr.sbin.smbd

@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/sbin/smbd {
+/usr/{bin,sbin}/smbd {
   #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/consoles>
@@ -37,8 +37,8 @@
   /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
   /usr/lib/@{multiarch}/samba/**/ r,
   /usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
-  /usr/sbin/smbd mr,
+  /usr/{bin,sbin}/smbd mr,
-  /usr/sbin/smbldap-useradd Px,
+  /usr/{bin,sbin}/smbldap-useradd Px,
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
   /var/lib/samba/** rwk,

profiles/apparmor.d/usr.sbin.smbldap-useradd

@@ -1,7 +1,7 @@
 # Last Modified: Tue Jan  3 00:17:40 2012
 #include <tunables/global>
 
-/usr/sbin/smbldap-useradd {
+/usr/{bin,sbin}/smbldap-useradd {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/nameservice>
@@ -13,8 +13,8 @@
   /etc/shadow r,
   /etc/smbldap-tools/smbldap.conf r,
   /etc/smbldap-tools/smbldap_bind.conf r,
-  /usr/sbin/smbldap-useradd r,
+  /usr/{bin,sbin}/smbldap-useradd r,
-  /usr/sbin/smbldap_tools.pm r,
+  /usr/{bin,sbin}/smbldap_tools.pm r,
   /var/log/samba/log.smbd w,
 
   # Site-specific additions and overrides. See local/README for details.

profiles/apparmor.d/usr.sbin.traceroute

@@ -10,7 +10,7 @@
 # ------------------------------------------------------------------
 
 #include <tunables/global>
-/usr/{sbin/traceroute,bin/traceroute.db} {
+/usr/{{bin,sbin}/traceroute,bin/traceroute.db} {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
@@ -21,7 +21,7 @@
   network inet raw,
   network inet6 raw,
 
-  /usr/sbin/traceroute mrix,
+  /usr/{bin,sbin}/traceroute mrix,
   /usr/bin/traceroute.db mrix,
   @{PROC}/net/route r,
   @{PROC}/sys/net/ipv4/{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,

profiles/apparmor.d/usr.sbin.winbindd

@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/sbin/winbindd {
+/usr/{bin,sbin}/winbindd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/samba>
@@ -24,7 +24,7 @@
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
-  /usr/sbin/winbindd mr,
+  /usr/{bin,sbin}/winbindd mr,
   /var/cache/krb5rcache/* rw,
   /var/cache/samba/*.tdb rwk,
   /var/log/samba/log.winbindd rw,