profiles: provide backwards compat for hwctl profile

The hwctl profile is being carried upstream, so we can keep it in sync, but is being packaged from the regular profile set so that it can be part of a package that is SRUed (ubuntu stable release update) separate from the rest of apparmor, and its profiles. Provide backwards compat with older parser to reduce the amount of distro patching that is needed. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 01:57:43 +00:00 · 2025-05-30 11:17:43 -07:00 · 2025-05-30 11:17:43 -07:00 · df41185eb2
commit df41185eb2
parent d315f2b279
1 changed files with 9 additions and 2 deletions
--- a/profiles/apparmor.d/usr.bin.hwctl
+++ b/profiles/apparmor.d/usr.bin.hwctl
@ -12,7 +12,9 @@ abi <abi/4.0>,

 include <tunables/global>

-profile hwctl /usr/bin/hwctl {
+# provide backwards compat with older parsers that don't support @{exec_path}
+@{exec_path}=/usr/bin/hwctl
+profile hwctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
@ -38,10 +40,15 @@ profile hwctl /usr/bin/hwctl {
  /usr/bin/kmod   cx,
  /etc/os-release r,

+  # note @{exec_path} not used for this attachment for backwards compat
+  # reasons. Older parsers do not allow us to embed a variable declaration
+  # to use the trick we are using above
  profile kmod /usr/bin/kmod {
    include <abstractions/base>

-    @{exec_path}              r,
+    # old parsers do not support defining a variable outside of the
+    # preamble for backward compat do not use @{exec_path} here
+    /usr/bin/kmod             r,
    @{PROC}/{cmdline,modules} r,
    @{sys}/module/**          r,  # for fetching kernel modules
  }