There is precedence in /etc/apparmor.d/abstractions/base holding various rules like these
$ grep etc_ro /etc/apparmor.d/abstractions/base
@{etc_ro}/locale/** r,
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@{etc_ro}/bindresvport.blacklist r,
@{etc_ro}/ld.so.cache mr,
@{etc_ro}/ld.so.conf r,
@{etc_ro}/ld.so.conf.d/{,*.conf} r,
@{etc_ro}/ld.so.preload r,
@{etc_ro}/ld-musl-*.path r,
I'd think the better fix is to allow it there.
Actually, base isn't the best.
I think it should go into /etc/apparmor.d/abstractions/crypto (which is included by base)
If Adrien knows about similar, "whoever uses it should have read access to that config to restrict it accordingly" config files we might want to add them all in one block there.
There is precedence in /etc/apparmor. d/abstractions/ base holding various rules like these d/abstractions/ base ro}/locale/ ** r, ro}/locale. alias r, ro}/localtime r, ro}/bindresvpor t.blacklist r, ro}/ld. so.cache mr, ro}/ld. so.conf r, ro}/ld. so.conf. d/{,*.conf} r, ro}/ld. so.preload r, ro}/ld- musl-*. path r,
$ grep etc_ro /etc/apparmor.
@{etc_
@{etc_
@{etc_
@{etc_
@{etc_
@{etc_
@{etc_
@{etc_
@{etc_
I'd think the better fix is to allow it there.
Actually, base isn't the best. d/abstractions/ crypto (which is included by base)
I think it should go into /etc/apparmor.
If Adrien knows about similar, "whoever uses it should have read access to that config to restrict it accordingly" config files we might want to add them all in one block there.