From b77116e6afeec7b7bd366c2d74ddf225fb1dfeb3 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Mon, 15 Oct 2018 20:57:33 +0200
Subject: [PATCH] Add profile names to all profiles with {bin,sbin} attachment

Also adjust the signal rules in the dovecot-common and apache2-common
abstractions to match the profile names, and to really do that
(peer=...{bin,sbin}... didn't work, the correct syntax would have been
peer=...\{bin,sbin\}...)

This fixes the regression introduced by !149 / commit
4200932d8fb31cc3782d96dd8312511e807fd09b
---
 profiles/apparmor.d/abstractions/apache2-common | 4 ++--
 profiles/apparmor.d/abstractions/dovecot-common | 2 +-
 profiles/apparmor.d/usr.lib.dovecot.dovecot-lda | 4 ++--
 profiles/apparmor.d/usr.sbin.apache2            | 2 +-
 profiles/apparmor.d/usr.sbin.avahi-daemon       | 2 +-
 profiles/apparmor.d/usr.sbin.dovecot            | 2 +-
 profiles/apparmor.d/usr.sbin.identd             | 2 +-
 profiles/apparmor.d/usr.sbin.mdnsd              | 2 +-
 profiles/apparmor.d/usr.sbin.nmbd               | 2 +-
 profiles/apparmor.d/usr.sbin.nscd               | 2 +-
 profiles/apparmor.d/usr.sbin.ntpd               | 2 +-
 profiles/apparmor.d/usr.sbin.smbd               | 2 +-
 profiles/apparmor.d/usr.sbin.smbldap-useradd    | 2 +-
 profiles/apparmor.d/usr.sbin.winbindd           | 2 +-
 14 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/profiles/apparmor.d/abstractions/apache2-common b/profiles/apparmor.d/abstractions/apache2-common
index 0c1d137cf..e0a44de80 100644
--- a/profiles/apparmor.d/abstractions/apache2-common
+++ b/profiles/apparmor.d/abstractions/apache2-common
@@ -7,9 +7,9 @@
   # Allow unconfined processes to send us signals by default
   signal (receive) peer=unconfined,
   # Allow apache to send us signals by default
-  signal (receive) peer=/usr/{bin,sbin}/apache2,
+  signal (receive) peer=apache2,
   # Allow other hats to signal by default
-  signal peer=/usr/{bin,sbin}/apache2//*,
+  signal peer=apache2//*,
   # Allow us to signal ourselves
   signal peer=@{profile_name},
 
diff --git a/profiles/apparmor.d/abstractions/dovecot-common b/profiles/apparmor.d/abstractions/dovecot-common
index 08dc3311f..e1681d9a0 100644
--- a/profiles/apparmor.d/abstractions/dovecot-common
+++ b/profiles/apparmor.d/abstractions/dovecot-common
@@ -14,6 +14,6 @@
   deny capability block_suspend,
 
   # dovecot's master can send us signals
-  signal receive peer=/usr/{bin,sbin}/dovecot,
+  signal receive peer=dovecot,
 
   /{var/,}run/dovecot/config rw,
diff --git a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
index 77d12df9e..50a75e9e3 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
+++ b/profiles/apparmor.d/usr.lib.dovecot.dovecot-lda
@@ -29,7 +29,7 @@
   /run/dovecot/auth-userdb rw,
   /usr/bin/doveconf mrix,
   /usr/lib/dovecot/dovecot-lda mrix,
-  /usr/{bin,sbin}/sendmail Cx,
+  /usr/{bin,sbin}/sendmail Cx -> sendmail,
   /usr/share/dovecot/protocols.d/ r,
   /usr/share/dovecot/protocols.d/** r,
 
@@ -37,7 +37,7 @@
   #include <local/usr.lib.dovecot.dovecot-lda>
 
 
-  profile /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
+  profile sendmail /usr/{bin,sbin}/sendmail flags=(attach_disconnected) {
     # this profile is based on the usr.sbin.sendmail profile in extras
     # and should support both postfix' and sendmail's sendmail binary
 
diff --git a/profiles/apparmor.d/usr.sbin.apache2 b/profiles/apparmor.d/usr.sbin.apache2
index dd7bf23e9..8fcdf5802 100644
--- a/profiles/apparmor.d/usr.sbin.apache2
+++ b/profiles/apparmor.d/usr.sbin.apache2
@@ -1,7 +1,7 @@
 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
 
 #include <tunables/global>
-/usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
+profile apache2 /usr/{bin,sbin}/apache2 flags=(attach_disconnected) {
 
   # This profile is completely permissive.
   # It is designed to target specific applications using mod_apparmor,
diff --git a/profiles/apparmor.d/usr.sbin.avahi-daemon b/profiles/apparmor.d/usr.sbin.avahi-daemon
index 3d1b1b8d6..a56d4a11a 100644
--- a/profiles/apparmor.d/usr.sbin.avahi-daemon
+++ b/profiles/apparmor.d/usr.sbin.avahi-daemon
@@ -1,5 +1,5 @@
 #include <tunables/global>
-/usr/{bin,sbin}/avahi-daemon {
+profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/dbus>
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
index 4b0fd04f6..579b3100a 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -12,7 +12,7 @@
 
 #include <tunables/global>
 
-/usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
+profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
   #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/dovecot-common>
diff --git a/profiles/apparmor.d/usr.sbin.identd b/profiles/apparmor.d/usr.sbin.identd
index b19a21ba0..134148963 100644
--- a/profiles/apparmor.d/usr.sbin.identd
+++ b/profiles/apparmor.d/usr.sbin.identd
@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-/usr/{bin,sbin}/identd {
+profile identd /usr/{bin,sbin}/identd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   capability net_bind_service,
diff --git a/profiles/apparmor.d/usr.sbin.mdnsd b/profiles/apparmor.d/usr.sbin.mdnsd
index 4bf275e45..c41ed1fef 100644
--- a/profiles/apparmor.d/usr.sbin.mdnsd
+++ b/profiles/apparmor.d/usr.sbin.mdnsd
@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 
-/usr/{bin,sbin}/mdnsd {
+profile mdnsd /usr/{bin,sbin}/mdnsd {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
diff --git a/profiles/apparmor.d/usr.sbin.nmbd b/profiles/apparmor.d/usr.sbin.nmbd
index d45a6c88a..5a4d31b69 100644
--- a/profiles/apparmor.d/usr.sbin.nmbd
+++ b/profiles/apparmor.d/usr.sbin.nmbd
@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/{bin,sbin}/nmbd {
+profile nmbd /usr/{bin,sbin}/nmbd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/samba>
diff --git a/profiles/apparmor.d/usr.sbin.nscd b/profiles/apparmor.d/usr.sbin.nscd
index c8dfd19f6..5ab666987 100644
--- a/profiles/apparmor.d/usr.sbin.nscd
+++ b/profiles/apparmor.d/usr.sbin.nscd
@@ -10,7 +10,7 @@
 # ------------------------------------------------------------------
 
 #include <tunables/global>
-/usr/{bin,sbin}/nscd {
+profile nscd /usr/{bin,sbin}/nscd {
   #include <abstractions/base>
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
diff --git a/profiles/apparmor.d/usr.sbin.ntpd b/profiles/apparmor.d/usr.sbin.ntpd
index 3830ed75e..2279465e8 100644
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -11,7 +11,7 @@
 
 #include <tunables/global>
 #include <tunables/ntpd>
-/usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
+profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/openssl>
diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd
index dd4858453..f46e80e2b 100644
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/{bin,sbin}/smbd {
+profile smbd /usr/{bin,sbin}/smbd {
   #include <abstractions/authentication>
   #include <abstractions/base>
   #include <abstractions/consoles>
diff --git a/profiles/apparmor.d/usr.sbin.smbldap-useradd b/profiles/apparmor.d/usr.sbin.smbldap-useradd
index 7b37bdde3..35c0e2dcd 100644
--- a/profiles/apparmor.d/usr.sbin.smbldap-useradd
+++ b/profiles/apparmor.d/usr.sbin.smbldap-useradd
@@ -1,7 +1,7 @@
 # Last Modified: Tue Jan  3 00:17:40 2012
 #include <tunables/global>
 
-/usr/{bin,sbin}/smbldap-useradd {
+profile smbldap-useradd /usr/{bin,sbin}/smbldap-useradd {
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/nameservice>
diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd
index f80aeee6c..9f78e8c7f 100644
--- a/profiles/apparmor.d/usr.sbin.winbindd
+++ b/profiles/apparmor.d/usr.sbin.winbindd
@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/{bin,sbin}/winbindd {
+profile winbindd /usr/{bin,sbin}/winbindd {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/samba>