Add profile names to all profiles with {bin,sbin} attachment

Also adjust the signal rules in the dovecot-common and apache2-common abstractions to match the profile names, and to really do that (peer=...{bin,sbin}... didn't work, the correct syntax would have been peer=...\{bin,sbin\}...) This fixes the regression introduced by !149 / commit 4200932d8f
2025-08-30 13:58:22 +00:00 · 2018-10-15 20:57:33 +02:00
parent 4a2dad336a
commit b77116e6af
14 changed files with 16 additions and 16 deletions
--- a/profiles/apparmor.d/abstractions/apache2-common
+++ b/profiles/apparmor.d/abstractions/apache2-common
@@ -7,9 +7,9 @@
  # Allow unconfined processes to send us signals by default
  signal (receive) peer=unconfined,
  # Allow apache to send us signals by default
-  signal (receive) peer=/usr/{bin,sbin}/apache2,
+  signal (receive) peer=apache2,
  # Allow other hats to signal by default
-  signal peer=/usr/{bin,sbin}/apache2//*,
+  signal peer=apache2//*,
  # Allow us to signal ourselves
  signal peer=@{profile_name},
--- a/profiles/apparmor.d/abstractions/dovecot-common
+++ b/profiles/apparmor.d/abstractions/dovecot-common
@@ -14,6 +14,6 @@
  deny capability block_suspend,
  # dovecot's master can send us signals
-  signal receive peer=/usr/{bin,sbin}/dovecot,
+  signal receive peer=dovecot,
  /{var/,}run/dovecot/config rw,
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
@@ -29,7 +29,7 @@
  /run/dovecot/auth-userdb rw,
  /usr/bin/doveconf mrix,
  /usr/lib/dovecot/dovecot-lda mrix,
-  /usr/{bin,sbin}/sendmail Cx,
+  /usr/{bin,sbin}/sendmail Cx -> sendmail,
  /usr/share/dovecot/protocols.d/ r,
  /usr/share/dovecot/protocols.d/** r,
@@ -37,7 +37,7 @@
  #include <local/usr.lib.dovecot.dovecot-lda>
-  profile /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
+  profile sendmail /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
    # this profile is based on the usr.sbin.sendmail profile in extras
    # and should support both postfix' and sendmail's sendmail binary
--- a/profiles/apparmor.d/usr.sbin.apache2
+++ b/profiles/apparmor.d/usr.sbin.apache2
@@ -1,7 +1,7 @@
 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
 #include <tunables/global>
-/usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
+profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
  # This profile is completely permissive.
  # It is designed to target specific applications using mod_apparmor,
--- a/profiles/apparmor.d/usr.sbin.avahi-daemon
+++ b/profiles/apparmor.d/usr.sbin.avahi-daemon
@@ -1,5 +1,5 @@
 #include <tunables/global>
-/usr/{bin,sbin}/avahi-daemon {
+profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/dbus>
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -12,7 +12,7 @@
 #include <tunables/global>
-/usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
+profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/dovecot-common>
--- a/profiles/apparmor.d/usr.sbin.identd
+++ b/profiles/apparmor.d/usr.sbin.identd
@@ -11,7 +11,7 @@
 #include <tunables/global>
-/usr/{bin,sbin}/identd {
+profile identd /usr/{bin,sbin}/identd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  capability net_bind_service,
--- a/profiles/apparmor.d/usr.sbin.mdnsd
+++ b/profiles/apparmor.d/usr.sbin.mdnsd
@@ -11,7 +11,7 @@
 #include <tunables/global>
-/usr/{bin,sbin}/mdnsd {
+profile mdnsd /usr/{bin,sbin}/mdnsd {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
--- a/profiles/apparmor.d/usr.sbin.nmbd
+++ b/profiles/apparmor.d/usr.sbin.nmbd
@@ -1,6 +1,6 @@
 #include <tunables/global>
-/usr/{bin,sbin}/nmbd {
+profile nmbd /usr/{bin,sbin}/nmbd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/samba>
--- a/profiles/apparmor.d/usr.sbin.nscd
+++ b/profiles/apparmor.d/usr.sbin.nscd
@@ -10,7 +10,7 @@
 # ------------------------------------------------------------------
 #include <tunables/global>
-/usr/{bin,sbin}/nscd {
+profile nscd /usr/{bin,sbin}/nscd {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -11,7 +11,7 @@
 #include <tunables/global>
 #include <tunables/ntpd>
-/usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
+profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -1,6 +1,6 @@
 #include <tunables/global>
-/usr/{bin,sbin}/smbd {
+profile smbd /usr/{bin,sbin}/smbd {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/consoles>
--- a/profiles/apparmor.d/usr.sbin.smbldap-useradd
+++ b/profiles/apparmor.d/usr.sbin.smbldap-useradd
@@ -1,7 +1,7 @@
 # Last Modified: Tue Jan  3 00:17:40 2012
 #include <tunables/global>
-/usr/{bin,sbin}/smbldap-useradd {
+profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -1,6 +1,6 @@
 #include <tunables/global>
-/usr/{bin,sbin}/winbindd {
+profile winbindd /usr/{bin,sbin}/winbindd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/samba>