feat(profile): minor improvements.
This commit is contained in:
Alexandre Pujol
parent
043dc3fc05
commit
00327dfae1
10 changed files with 35 additions and 11 deletions
|
|
@ -177,7 +177,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{pager_path} rmix,
|
@{pager_path} rmix,
|
||||||
@{bin}/which{,.debianutils} rix,
|
@{bin}/which rix,
|
||||||
|
|
||||||
/root/ r, # For shell pwd
|
/root/ r, # For shell pwd
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} {
|
||||||
@{bin}/touch rix,
|
@{bin}/touch rix,
|
||||||
@{bin}/uniq rix,
|
@{bin}/uniq rix,
|
||||||
@{bin}/wc rix,
|
@{bin}/wc rix,
|
||||||
@{bin}/which{,.debianutils} rix,
|
@{bin}/which rix,
|
||||||
@{bin}/xargs rix,
|
@{bin}/xargs rix,
|
||||||
|
|
||||||
@{bin}/apt-config rPx,
|
@{bin}/apt-config rPx,
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} {
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
|
|
||||||
@{bin}/which{,.debianutils} rix,
|
@{bin}/which rix,
|
||||||
@{bin}/tar rix,
|
@{bin}/tar rix,
|
||||||
@{bin}/bzip2 rix,
|
@{bin}/bzip2 rix,
|
||||||
@{bin}/gzip rix,
|
@{bin}/gzip rix,
|
||||||
|
|
|
||||||
|
|
@ -10,13 +10,14 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/unattended-upgrade
|
@{exec_path} = @{bin}/unattended-upgrade
|
||||||
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/common/apt>
|
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/bus/org.freedesktop.login1>
|
include <abstractions/bus/org.freedesktop.login1>
|
||||||
include <abstractions/bus/org.freedesktop.NetworkManager>
|
include <abstractions/bus/org.freedesktop.NetworkManager>
|
||||||
include <abstractions/bus/org.freedesktop.PackageKit>
|
include <abstractions/bus/org.freedesktop.PackageKit>
|
||||||
|
include <abstractions/common/apt>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/perl>
|
||||||
include <abstractions/python>
|
include <abstractions/python>
|
||||||
|
|
||||||
capability chown,
|
capability chown,
|
||||||
|
|
@ -65,7 +66,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{etc_ro}/login.defs r,
|
@{etc_ro}/login.defs r,
|
||||||
@{etc_ro}/security/capability.conf r,
|
@{etc_ro}/security/capability.conf r,
|
||||||
/etc/apport/report-ignore/ r,
|
/etc/apport/report-ignore/{,**} r,
|
||||||
/etc/apt/*.list r,
|
/etc/apt/*.list r,
|
||||||
/etc/apt/apt.conf.d/{,**} r,
|
/etc/apt/apt.conf.d/{,**} r,
|
||||||
/etc/debian_version r,
|
/etc/debian_version r,
|
||||||
|
|
@ -89,8 +90,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
||||||
/etc/vmware-tools/* r,
|
/etc/vmware-tools/* r,
|
||||||
|
|
||||||
/var/log/unattended-upgrades/{,**} rw,
|
/var/log/unattended-upgrades/{,**} rw,
|
||||||
|
/var/crash/*.crash w,
|
||||||
|
|
||||||
/var/lib/apt/periodic/unattended-upgrades-stamp w,
|
/var/lib/apt/periodic/unattended-upgrades-stamp w,
|
||||||
|
/var/lib/dpkg/info/ r,
|
||||||
/var/lib/dpkg/lock rwk,
|
/var/lib/dpkg/lock rwk,
|
||||||
/var/lib/dpkg/lock-frontend rwk,
|
/var/lib/dpkg/lock-frontend rwk,
|
||||||
/var/lib/dpkg/updates/ r,
|
/var/lib/dpkg/updates/ r,
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,9 @@ profile update-grub @{exec_path} {
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
@{sh_path} rix,
|
|
||||||
@{sbin}/grub-mkconfig rPx,
|
@{sh_path} rix,
|
||||||
|
@{sbin}/grub-mkconfig rPx,
|
||||||
|
|
||||||
/dev/tty@{int} rw,
|
/dev/tty@{int} rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) {
|
||||||
@{sys}/devices/**/power_supply/{,**} r,
|
@{sys}/devices/**/power_supply/{,**} r,
|
||||||
@{sys}/devices/virtual/thermal/{,**} r,
|
@{sys}/devices/virtual/thermal/{,**} r,
|
||||||
|
|
||||||
|
|
||||||
include if exists <local/acpi>
|
include if exists <local/acpi>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -44,13 +44,14 @@ profile evince @{exec_path} {
|
||||||
/usr/share/poppler/{,**} r,
|
/usr/share/poppler/{,**} r,
|
||||||
/usr/share/thumbnailers/{,*} r,
|
/usr/share/thumbnailers/{,*} r,
|
||||||
|
|
||||||
owner @{user_share_dirs}/ r,
|
|
||||||
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
owner @{user_share_dirs}/gvfs-metadata/{,*} r,
|
||||||
owner @{user_config_dirs}/evince/{,*} rw,
|
owner @{user_config_dirs}/evince/{,*} rw,
|
||||||
|
|
||||||
|
owner @{tmp}/.goutputstream-@{rand6} rw,
|
||||||
owner @{tmp}/*.pdf r,
|
owner @{tmp}/*.pdf r,
|
||||||
owner @{tmp}/evince-@{int}/{,**} rw,
|
owner @{tmp}/evince-@{int}/{,**} rw,
|
||||||
owner @{tmp}/gtkprint* rw,
|
owner @{tmp}/gtkprint_@{rand6} rw,
|
||||||
|
owner @{tmp}/gtkprint@{rand6} rw,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/fd/ r,
|
owner @{PROC}/@{pid}/fd/ r,
|
||||||
owner @{PROC}/@{pid}/mountinfo r,
|
owner @{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
|
||||||
@{bin}/basename rix,
|
@{bin}/basename rix,
|
||||||
@{bin}/false rix,
|
@{bin}/false rix,
|
||||||
@{bin}/id rix,
|
@{bin}/id rix,
|
||||||
@{sbin}/sysctl rPx,
|
@{sbin}/sysctl rCx -> sysctl,
|
||||||
@{bin}/true rix,
|
@{bin}/true rix,
|
||||||
|
|
||||||
@{lib}/modprobe.d/{,*.conf} r,
|
@{lib}/modprobe.d/{,*.conf} r,
|
||||||
|
|
@ -74,6 +74,18 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
|
||||||
deny @{user_share_dirs}/gvfs-metadata/* r,
|
deny @{user_share_dirs}/gvfs-metadata/* r,
|
||||||
deny unix (receive) type=stream,
|
deny unix (receive) type=stream,
|
||||||
|
|
||||||
|
profile sysctl {
|
||||||
|
include <abstractions/base>
|
||||||
|
|
||||||
|
@{sbin}/sysctl mr,
|
||||||
|
|
||||||
|
/etc/sysctl.conf r,
|
||||||
|
/etc/sysctl.d/{,**} r,
|
||||||
|
/usr/lib/sysctl.d/{,**} r,
|
||||||
|
|
||||||
|
include if exists <local/kmod_sysctl>
|
||||||
|
}
|
||||||
|
|
||||||
include if exists <local/kmod>
|
include if exists <local/kmod>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -96,6 +96,12 @@ profile mkinitramfs @{exec_path} {
|
||||||
owner /var/tmp/mkinitramfs-@{rand6} rw,
|
owner /var/tmp/mkinitramfs-@{rand6} rw,
|
||||||
owner /var/tmp/mkinitramfs-*_@{rand6} rw,
|
owner /var/tmp/mkinitramfs-*_@{rand6} rw,
|
||||||
|
|
||||||
|
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
|
||||||
|
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
|
||||||
|
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
|
||||||
|
owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
|
||||||
|
owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
|
||||||
|
|
||||||
@{sys}/devices/platform/ r,
|
@{sys}/devices/platform/ r,
|
||||||
@{sys}/devices/platform/**/ r,
|
@{sys}/devices/platform/**/ r,
|
||||||
@{sys}/devices/platform/**/modalias r,
|
@{sys}/devices/platform/**/modalias r,
|
||||||
|
|
|
||||||
|
|
@ -47,6 +47,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
|
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
|
||||||
|
|
||||||
|
/dev/udmabuf rw,
|
||||||
|
|
||||||
include if exists <local/spice-vdagent>
|
include if exists <local/spice-vdagent>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue