]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/security/apparmor/fix-profiles.patch
apparmor: publich and use PR#93457
[sourcephile-nix.git] / nixos / modules / security / apparmor / fix-profiles.patch
1 diff --git a/etc/apparmor.d/abstractions/base b/etc/apparmor.d/abstractions/base
2 index fabb427..2103c3c 100644
3 --- a/etc/apparmor.d/abstractions/base
4 +++ b/etc/apparmor.d/abstractions/base
5 @@ -30,13 +30,6 @@
6 /etc/locale/** r,
7 /etc/locale.alias r,
8 /etc/localtime r,
9 - /usr/share/locale-bundle/** r,
10 - /usr/share/locale-langpack/** r,
11 - /usr/share/locale/** r,
12 - /usr/share/**/locale/** r,
13 - /usr/share/zoneinfo/ r,
14 - /usr/share/zoneinfo/** r,
15 - /usr/share/X11/locale/** r,
16 /run/systemd/journal/dev-log w,
17 # systemd native journal API (see sd_journal_print(4))
18 /run/systemd/journal/socket w,
19 @@ -45,12 +38,6 @@
20 # anything when reading so this is ok.
21 /run/systemd/journal/stdout rw,
22
23 - /usr/lib{,32,64}/locale/** mr,
24 - /usr/lib{,32,64}/gconv/*.so mr,
25 - /usr/lib{,32,64}/gconv/gconv-modules* mr,
26 - /usr/lib/@{multiarch}/gconv/*.so mr,
27 - /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
28 -
29 # used by glibc when binding to ephemeral ports
30 /etc/bindresvport.blacklist r,
31
32 @@ -59,20 +46,7 @@
33 /etc/ld.so.cache mr,
34 /etc/ld.so.conf r,
35 /etc/ld.so.conf.d/{,*.conf} r,
36 - /etc/ld.so.preload r,
37 - /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr,
38 - /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr,
39 - /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr,
40 - /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr,
41 - /opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
42 -
43 - # we might as well allow everything to use common libraries
44 - /{usr/,}lib{,32,64}/** r,
45 - /{usr/,}lib{,32,64}/**.so* mr,
46 - /{usr/,}lib/@{multiarch}/** r,
47 - /{usr/,}lib/@{multiarch}/**.so* mr,
48 - /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr,
49 - /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr,
50 + /etc/ld-nix.so.preload r,
51
52 # /dev/null is pretty harmless and frequently used
53 /dev/null rw,
54 @@ -101,9 +75,6 @@
55 # libgcrypt reads some flags from /proc
56 @{PROC}/sys/crypto/* r,
57
58 - # some applications will display license information
59 - /usr/share/common-licenses/** r,
60 -
61 # glibc statvfs
62 @{PROC}/filesystems r,
63