diff --git a/etc/apparmor.d/abstractions/base b/etc/apparmor.d/abstractions/base index fabb427..2103c3c 100644 --- a/etc/apparmor.d/abstractions/base +++ b/etc/apparmor.d/abstractions/base @@ -30,13 +30,6 @@ /etc/locale/** r, /etc/locale.alias r, /etc/localtime r, - /usr/share/locale-bundle/** r, - /usr/share/locale-langpack/** r, - /usr/share/locale/** r, - /usr/share/**/locale/** r, - /usr/share/zoneinfo/ r, - /usr/share/zoneinfo/** r, - /usr/share/X11/locale/** r, /run/systemd/journal/dev-log w, # systemd native journal API (see sd_journal_print(4)) /run/systemd/journal/socket w, @@ -45,12 +38,6 @@ # anything when reading so this is ok. /run/systemd/journal/stdout rw, - /usr/lib{,32,64}/locale/** mr, - /usr/lib{,32,64}/gconv/*.so mr, - /usr/lib{,32,64}/gconv/gconv-modules* mr, - /usr/lib/@{multiarch}/gconv/*.so mr, - /usr/lib/@{multiarch}/gconv/gconv-modules* mr, - # used by glibc when binding to ephemeral ports /etc/bindresvport.blacklist r, @@ -59,20 +46,7 @@ /etc/ld.so.cache mr, /etc/ld.so.conf r, /etc/ld.so.conf.d/{,*.conf} r, - /etc/ld.so.preload r, - /{usr/,}lib{,32,64}/ld{,32,64}-*.so mr, - /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so mr, - /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so mr, - /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mr, - /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, - - # we might as well allow everything to use common libraries - /{usr/,}lib{,32,64}/** r, - /{usr/,}lib{,32,64}/**.so* mr, - /{usr/,}lib/@{multiarch}/** r, - /{usr/,}lib/@{multiarch}/**.so* mr, - /{usr/,}lib/tls/i686/{cmov,nosegneg}/*.so* mr, - /{usr/,}lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/*.so* mr, + /etc/ld-nix.so.preload r, # /dev/null is pretty harmless and frequently used /dev/null rw, @@ -101,9 +75,6 @@ # libgcrypt reads some flags from /proc @{PROC}/sys/crypto/* r, - # some applications will display license information - /usr/share/common-licenses/** r, - # glibc statvfs @{PROC}/filesystems r,