felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): add multipath profiles

Browse source 
See #134

Signed-off-by: @cboltz
This commit is contained in:
Alexandre Pujol 2023-08-13 20:06:08 +01:00
parent a2c35b07a5
commit 09943156bc
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
4 changed files with 77 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

31
apparmor.d/profiles-m-r/multipath Normal file
View file

@ -0,0 +1,31 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/multipath
profile multipath @{exec_path} {
include <abstractions/base>
include <abstractions/disks-write>
capability sys_admin,
capability sys_resource,
@{exec_path} mr,
/etc/multipath/bindings rwk,
/etc/multipath.conf r,
@{sys}/bus/ r,
@{sys}/class/ r,
@{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/ r,
@{sys}/devices/pci[0-9]*/**/ata[0-9]*/host[0-9]*/** r,
@{PROC}/devices r,
@{PROC}/sys/fs/nr_open r,
include if exists <local/multipath>
}

43
apparmor.d/profiles-m-r/multipathd Normal file
View file

@ -0,0 +1,43 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/multipathd
profile multipathd @{exec_path} {
include <abstractions/base>
include <abstractions/disks-read>
capability ipc_lock,
capability net_admin,
capability sys_admin,
capability sys_nice,
capability sys_resource,
network netlink raw,
unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"),
@{exec_path} mr,
/etc/multipath.conf r,
/etc/multipath/bindings rwk,
/etc/systemd/system/ r,
@{run}/multipathd.pid rwk,
@{run}/systemd/notify w,
@{sys}/bus/ r,
@{sys}/class/ r,
@{PROC}/devices r,
@{PROC}/sys/fs/nr_open r,
owner @{PROC}/@{pid}/oom_score_adj w,
/dev/mapper/control rw,
include if exists <local/multipathd>
}

2
apparmor.d/profiles-m-r/os-prober
View file

@ -35,7 +35,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
@{bin}/lvm rPx, @{bin}/lvm rPx,
@{bin}/mkdir rix, @{bin}/mkdir rix,
@{bin}/mktemp rix, @{bin}/mktemp rix,
@{bin}/multipath rPUx, @{bin}/multipath rPx,
@{bin}/readlink rix, @{bin}/readlink rix,
@{bin}/rm rix, @{bin}/rm rix,
@{bin}/rmdir rix, @{bin}/rmdir rix,

2
dists/flags/main.flags
View file

@ -211,6 +211,8 @@ mke2fs complain
ModemManager attach_disconnected,complain ModemManager attach_disconnected,complain
molly-guard complain molly-guard complain
mount attach_disconnected,complain mount attach_disconnected,complain
multipath complain
multipathd complain
mutter-x11-frames complain mutter-x11-frames complain
nautilus complain nautilus complain
needrestart attach_disconnected,complain needrestart attach_disconnected,complain