File packages-system.yaml of Package smar-apparmor-profiles
# system folder
- name: "at-spi2-core"
requires:
- dbus-1
in_directory:
"system/dbus":
files:
- "at-spi-bus-launcher"
- "at-spi2-registryd"
- name: "chrony"
in_directory:
"system/network":
files:
- "chronyc"
- "chronyd"
- name: "cronie"
load_profile_by_systemd:
system:
cron:
# The service has
#
# ExecReload=/usr/bin/kill -s SIGHUP $MAINPID
#
# so hopefully this allows handling kill inside the
# profile too.
profile: cronie
in_directory:
"system/cron":
files:
- "cronie"
- "cronie.run-crons"
- "crontab"
extra_directories:
- "cronie.d"
extra_files:
- "cronie.d/README"
- name: "dbus-1"
load_profile_by_systemd:
dbus-daemon: dbus-daemon
abstractions:
- kde
- systemd
in_directory:
"system/dbus":
files:
- "dbus-daemon"
- "dbus-daemon-launch-helper"
- "dbus-run-session"
- "dbus-send"
- name: "deltarpm"
files:
- "system/applydeltarpm"
- name: "fish"
requires:
# TODO: These requires should be changed to recommends. If possible.
- less
- procps
- subversion
- systemd
- xdm # For /etc/X11/xdm/sys.xsession
- git-core
- krb5-client
- btrfsmaintenance # zypper plugin
- libzypp-plugin-appdata # zypper plugin
- snapper-zypp-plugin # zypper plugin
abstractions:
- sddm
local:
- "fish"
- "kde_fish"
# NOTE: Doing this differently as directory include loading loads under wrong namespaces.
# Only sometimes, not always, which is all more annoying.
namespaces:
- "common_fish"
in_directory:
"system/shells":
local:
- "common_fish"
- "fish-sudo"
files:
- "fish"
- "kde_fish"
extra_files:
- "lib/common_fish"
- "lib/fish-sudo"
- name: "fuse3"
in_directory:
"system/mount":
files:
- "fusermount3"
extra_directories:
- "local/fuse"
extra_files:
- "local/fuse/fusermount3"
- name: "glib2-tools"
in_directory:
"system/glib":
files:
- "glib-compile-schemas"
- "gsettings"
- name: "glibc"
in_directory:
"system/glibc":
rpm_scriptlets_symlinks:
- "iconvconfig"
local:
- "lib-ld.so"
files:
- "iconvconfig"
- "ldconfig"
- "lib-ld.so"
- name: "glibc-32bit"
in_directory:
"system/glibc":
rpm_scriptlets_symlinks:
- "iconvconfig-32"
files:
- "iconvconfig-32"
- name: "grub2"
recommends:
- os-prober # For grub-mkconfig
in_directory:
"system/bootloader":
files:
- "grub-editenv"
- "grub-install"
- "grub-mkconfig"
- "grub-probe"
- "grub2-once"
- "grub2-reboot"
- name: "os-prober"
requires:
- "util-linux" # For blkid
in_directory:
"system/bootloader":
files:
- "os-prober"
- name: "power-profiles-daemon"
load_profile_by_systemd:
power-profiles-daemon: power-profiles-daemon
in_directory:
"system/dbus":
files:
- "power-profiles-daemon"
# NOTE: Not setting systemd to use profile, because two different executables are used in the service.
- name: "rsyslog"
in_directory:
"system":
files:
- "rsyslogd"
- name: "rtkit"
in_directory:
"system/dbus":
files:
- "rtkit-daemon"
- name: "tmpwatch"
in_directory:
"system/cron/scripts":
files:
- "cron.daily.tmpwatch"
- name: "util-linux"
in_directory:
"system":
local:
- "agetty"
- "bin.login"
files:
- "agetty"
- "bin.login"
- "su"
"system/cli":
files:
- "dmesg"
- "lscpu"
- "lsns"
"system/filesystem":
files:
- "fsfreeze"
- "fstrim"
- "losetup"
"utilities":
files:
- "blkid"
- name: "wicked"
requires:
- kmod
in_directory:
"system/network/wicked":
files:
- "ifup"
- "wicked"
- "wickedd"
- "wickedd-nanny"
- "wicked.lib.wickedd-auto4"
- "wicked.lib.wickedd-dhcp4"
- "wicked.lib.wickedd-dhcp6"
- name: "xinetd"
files:
- "system/xinetd"
# admin folder
- name: "ca-certificates"
in_directory:
"system/admin":
files:
- "update-ca-certificates"
rpm_scriptlets_symlinks:
- "update-ca-certificates"
- name: "hostinfo"
provides:
- "issue-generator"
in_directory:
"system/admin":
files:
- "hostinfo"
# Technically this should be in issue-generator-profiles,
# but I want to avoid one unnecessary package which most
# of time would be installed anyway.
- "issue-generator"
- name: "fai-toolkit"
in_directory:
"system/admin/management":
included_tunables:
- "fai-toolkit"
files:
- "ft"
extra_files:
- "namespaces.d/ft/"
- name: "pam-config"
in_directory:
"system/admin":
files:
- "pam-config"
- name: "sysconfig-netconfig"
in_directory:
"system/admin":
files:
- "netconfig"
# auth folder
- name: "sssd"
supplements:
- sssd-common
in_directory:
"security/authentication/sssd":
included_tunables:
- "sssd"
files:
- "sssd"
extra_directories:
- "namespaces.d/kde_file_dialog.net.d"
extra_files:
- "lib/sssd/"
- "namespaces.d/kde_file_dialog.net.d/sssd"
- name: "sssd-tools"
requires:
- sssd # For tunables/sssd
in_directory:
"system/admin/auth":
files:
- "sss_cache"
- "sssctl"
- name: "sudo"
in_directory:
"security/authentication/sudo":
files:
- "visudo"
- "sudo"
- name: "yubikey-manager-qt"
in_directory:
"security/authentication":
files:
- "ykman-gui"
# system -> network folder
- name: "bind-utils"
in_directory:
"system/network":
files:
- "delv"
- "dig"
- "host"
- name: "cni-plugins"
in_directory:
"system/network/cni":
files:
- "cni.dhcp"
- name: "ethtool"
in_directory:
"system/network":
files:
- "ethtool"
- name: "hyphanet"
provides:
- "freenetproject"
in_directory:
"system/network/hyphanet":
extra_directories:
- "local/hyphanet"
extra_files:
- "lib/hyphanet/"
- "local/hyphanet/plugins"
files:
- "run.sh"
- "wrapper"
included_tunables:
- "hyphanet"
- name: "iproute2"
in_directory:
"system/network/iproute2":
extra_directories:
- "local/iproute2"
extra_files:
- "local/iproute2/ip"
files:
- "ip"
- "rtmon"
- "ss"
- name: "nethogs"
in_directory:
"system/network":
files:
- "nethogs"
- name: "nftables"
in_directory:
"system/network":
files:
- "nft"
- name: "nfs-client"
suggests:
- sssd
in_directory:
"system/mount":
files:
- "mount.nfs"
"system/network/nfs":
extra_directories:
- "local/nfs"
extra_files:
- "local/nfs/rpc.gssd"
files:
- "rpc.gssd"
- "rpc.lockd"
- "rpc.statd"
- "rpc.svcgssd"
- "sm-notify"
"system/systemd/generators":
files:
- "nfs-server-generator"
- "rpc-pipefs-generator"
- name: "rpcbind"
in_directory:
"system/network":
files:
- "rpcbind"
- name: "whois"
in_directory:
"system/network":
files:
- "whois"
- name: "wpa_supplicant"
in_directory:
"system/network":
files:
- "wpa_supplicant"
# virtualization folder
- name: "catatonit"
in_directory:
"system/virtualization":
files:
- "catatonit"
- name: "kvm_stat"
in_directory:
"system/virtualization":
files:
- "kvm_stat"
- name: "libcontainers-common"
in_directory:
"system/virtualization/containers":
included_tunables:
- "containers"
- name: "podman"
in_directory:
"system/virtualization/podman":
files:
- "podman"
- "podman.quadlet"
# NOTE: Qemu’s split rpms mostly uses this same profile package.
- name: "qemu"
in_directory:
"system/virtualization/qemu":
files:
# NOTE: qemu has at least on SUSE executables on many
# different packages. Generic qemu profile
# works as a catch-all as virtual machine things
# mostly needs same privileges.
#
# But note that some executables needs have
# their own profiles.
- "qemu-system"
- name: "virtualbox"
load_profile_by_systemd:
vboxdrv: vboxdrv.sh
in_directory:
"system/virtualization/virtualbox":
files:
- "vboxconfig"
- "VBoxCreateUSBNode.sh"
- "vboxdrv.sh"
extra_files:
- "lib/udevadm.d/virtualbox"
# Can’t be enabled until “no new privs” override support is available:
# https://bugs.launchpad.net/apparmor/+bug/1908448/comments/2
#- name: "bubblewrap"
# files:
# - "system/virtualization/bwrap"
# Miscellaneous profiles
- name: "open-iscsi"
in_directory:
"system/systemd/generators":
files:
- "ibft-rule-generator"
# filesystem folder
- name: "e2fsprogs"
in_directory:
"system/filesystem":
files:
- "chattr"
- "fsck.ext3"
- name: "libostree"
in_directory:
"system/filesystem":
files:
- "ostree"
"system/systemd/generators":
files:
- "ostree-system-generator"
- name: "lvm2"
load_profile_by_systemd:
# TODO: I think this would be a good idea, but eh.
#
# At least since lvm2-monitor.service passes a
# single environment variable.
#lvm2-monitor: systemd.service.lvm2-monitor
in_directory:
"system/filesystem":
files:
- "lvm"
rpm_scriptlets_symlinks:
- "lvm"
"system/systemd/generators":
files:
- "lvm2-activation-generator"
- name: "tarsnap"
in_directory:
"system/filesystem":
files:
- "tarsnap"
- name: "python3-tarsnapper"
in_directory:
"system/filesystem":
files:
- "tarsnapper"
# cli folder
- name: "acpi"
in_directory:
"system/cli":
files:
- "acpi"
- name: "the_silver_searcher"
in_directory:
"system/cli":
extra_files:
- "local/cli/ag"
files:
- "ag"
- name: "coreutils"
in_directory:
"system/cli/coreutils":
files:
- "date"
- "sleep"
- "uptime"
- name: "dstat"
in_directory:
"system/cli":
files:
- "dstat"
- name: "gpm"
files:
- "system/cli/gpm"
- name: "hostname"
in_directory:
"system/cli":
files:
- "hostname"
- name: "htop"
local:
- "htop"
files:
- "system/cli/htop"
- name: "less"
files:
- "system/cli/less"
- name: "lsof"
in_directory:
"system/cli":
files:
- "lsof"
- name: "man"
abstractions:
- "less"
in_directory:
"system/cli/man-pages":
included_tunables:
- "man-pages"
files:
- "apropos"
- "man"
- "mandb"
- "man-db.do_mandb"
- "man-db.man"
- "whatis"
local:
- "man"
extra_files:
- "lib/man-pages"
- name: "mlocate"
load_profile_by_systemd:
mlocate: "systemd.service.mlocate"
in_directory:
"system/cli":
files:
- "locate"
- "updatedb"
- name: "nmap"
in_directory:
"system/cli":
files:
- "nmap"
- name: "nvme-cli"
files:
- "system/cli/nvme"
- name: "p7zip"
in_directory:
"system/cli":
files:
- "p7zip"
- name: "pciutils"
in_directory:
"system/cli":
rpm_scriptlets_symlinks:
- "sbin.lspci"
files:
- "sbin.lspci"
- name: "procps"
in_directory:
"system/cli/procps":
files:
- "bin.ps"
- "pgrep"
- "pkill"
- "sysctl"
- "w"
- name: "procs"
in_directory:
"system/cli":
files:
- "procs"
- name: "psmisc"
in_directory:
"system/cli":
files:
- "fuser"
- "killall"
- name: "quilt"
included_tunables:
- "quilt"
in_directory:
"system/cli":
files:
- "quilt"
- name: "mdadm"
load_profile_by_systemd:
system_conditional:
mdcheck_continue:
profile: "mdcheck"
mdcheck_start:
profile: "mdcheck"
in_directory:
"system/admin":
files:
- "mdadm"
- "mdcheck"
- name: "shadow"
in_directory:
"system/admin":
files:
- "gpasswd"
- "groupadd"
- "groupdel"
- "passwd"
- "useradd"
- "usermod"
- "userdel"
- name: "sysvinit-tools"
in_directory:
"system/cli":
files:
- "killall5"
- "killproc"
#- "pidof"
# systemd folder
- name: "systemd"
load_profile_by_systemd:
system_conditional:
systemd-journald:
profile: "systemd.systemd-journald"
# Override NoNewPrivileges=yes.
#
# NOTE: Before systemd-255, MemoryDenyWriteExecute=
# and few similar flags also needs to be
# disabled.
no_new_privs: false
systemd-logind:
profile: "systemd-logind"
no_new_privs: false
systemd-udevd: systemd-udevd
systemd-timedated: systemd-timedated.service
user:
systemd-tmpfiles-clean: systemd-tmpfiles
systemd-tmpfiles-setup: systemd-tmpfiles
abstractions:
- less
- sddm
- systemd
- vim # For vim-inline-editor.
included_tunables:
- "systemd"
extra_directories:
- "local/systemd"
in_directory:
"system/systemd":
ghost: # TODO: Implement this in generate_spec.rb.
- "local/systemd/systemd"
files:
# NOTE:
# Since systemd can transfer control to specific AppArmor profiles, and I’m not able
# to get transitions to work even with “change_profile -> **”, maybe better to
# let systemd to run unconfined and just ensure everything else is transitioned to
# their correct profiles.
#
# See load_profile_by_systemd in this file for how to specify the profile.
#- "systemd.pid1"
# systemd.user seems to work well enough, but...
#
# TODO: “systemctl daemon-reexec” as root makes
# pid1 to use systemd.user profile. This
# needs
# to be fixed.
#
# For that reason, I’m not enabling
# systemd.user here, because this would get
# pulled too much around automatically.
#- "systemd.user"
- "systemd_generators"
- "systemd.systemd-journald"
- "systemd.systemd-sysv-install"
- "user-environment-generators/30-systemd-environment-d-generator"
- "3rdparty/systemd.3rdparty.system-environment-generators.60-flatpak-system-only"
- "3rdparty/systemd.3rdparty.user-environment-generators.60-flatpak"
"system/systemd/commands":
extra_files:
- "local/systemd/busctl"
- "local/systemd/systemd-tmpfiles"
files:
- "busctl"
- "journalctl"
- "loginctl"
- "systemctl"
- "systemd-cat"
- "systemd-detect-virt"
# This is very wrapper utility, and I have no real
# purpose to put this to use, so I see no reason
# to implement this now.
#- "systemd-inhibit"
- "systemd-run"
- "systemd-sysusers"
- "systemd-tmpfiles"
- "systemd-tty-ask-password-agent"
- "timedatectl"
"system/systemd/generators":
files:
- "logind-compat-tasks-max-generator"
- "systemd-bless-boot-generator"
- "systemd-cryptsetup-generator"
- "systemd-debug-generator"
- "systemd-fstab-generator"
- "systemd-getty-generator"
- "systemd-gpt-auto-generator"
- "systemd-hibernate-resume-generator"
- "systemd-insserv-generator"
- "systemd-rc-local-generator"
- "systemd-run-generator"
- "systemd-system-update-generator"
- "systemd-sysv-generator"
- "systemd-veritysetup-generator"
"system/systemd/subcommands":
files:
- "systemd_subcommand"
- "systemd-binfmt"
- "systemd-cryptsetup"
- "systemd-hostnamed"
- "systemd-localed"
- "systemd-logind"
- "systemd-random-seed"
- "systemd-rfkill"
- "systemd-shutdown"
- "systemd-sleep"
- "systemd-sysctl"
- "systemd-timedated"
- "systemd-udevd"
- "systemd-update-utmp"
- "systemd-user-runtime-dir"
- "systemd-user-sessions"
- "systemd-vconsole-setup"
"system/systemd/user-generators":
files:
- "systemd-xdg-autostart-generator"
- name: "systemd-coredump"
load_profile_by_systemd:
system_conditional:
"systemd-coredump@":
profile: "systemd-coredump"
# Override NoNewPrivileges=yes.
#
# NOTE: Before systemd-255, MemoryDenyWriteExecute=
# and few similar flags also needs to be
# disabled.
no_new_privs: false
requires:
- systemd
in_directory:
"system/systemd/commands":
files:
- "coredumpctl"
"system/systemd/subcommands":
files:
- "systemd-coredump"
- name: "zram-generator"
requires:
- systemd
in_directory:
"system/systemd/generators":
files:
- "zram-generator"
# btrfs folder
- name: "btrfsprogs"
files:
- "system/btrfs/btrfs"
- name: "btrfsmaintenance"
requires:
- btrfsprogs
files:
- "suse/zypper/plugins.commit.btrfs-defrag-plugin.sh"
- "system/btrfs/btrfsmaintenance.btrfs-balance.sh"
- "system/btrfs/btrfsmaintenance.btrfs-scrub.sh"
# fontconfig folder
- name: "fontconfig"
in_directory:
"system/fontconfig":
rpm_scriptlets_symlinks:
- "fc-list"
- "fc-match"
extra_directories:
- "abstractions/fonts.d"
extra_files:
- "abstractions/fonts.d/fontconfig"
files:
- "fc-list"
- "fc-match"
# kernel folder
- name: "dracut"
requires:
- udev # udevadm profile; dracut requires udev so this is good.
- util-linux # blkid profile; dracut requires util-linux also.
recommends:
- btrfsprogs # btrfs profile. Recommended because if dracut profile is enforced and btrfs is used as filesystem, things will go haywire.
suggests:
- systemd # For systemd-detect-virt.
in_directory:
"suse/kernel":
files:
- "mkinitrd"
"system/kernel":
files:
- "dracut"
- "dracut-install"
- "lsinitrd"
- name: "plymouth"
in_directory:
"system/kernel":
files:
- "plymouth-set-default-theme"
- "plymouthd"
- name: "plymouth-dracut"
in_directory:
"system/kernel":
files:
- "plymouth-populate-initrd"
- name: "perl-Bootloader"
in_directory:
"system/bootloader":
files:
- "bootloader.bootloader_entry"
- "bootloader.grub2.config"
"system/kernel":
files:
- "pbl"
- name: "utempter"
abstractions:
- sddm
files:
- "system/kernel/usr.lib.utempter.utempter"
# services folder
- name: "haveged"
in_directory:
"system/services":
files:
- "haveged"
# kate: indent-width 2
