tests(check): enable and enfore more checks.
This commit is contained in:
Alexandre Pujol
Alex
parent
da4f5f8a2c
commit
1d3b58f15c
57 changed files with 148 additions and 130 deletions
|
|
@ -56,10 +56,10 @@
|
|||
owner @{HOME}/.var/app/** rmix,
|
||||
owner @{HOME}/** rwmlk -> @{HOME}/**,
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide
|
||||
owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide
|
||||
owner @{user_games_dirs}/** rmix,
|
||||
|
||||
#aa:lint ignore=too_wide
|
||||
#aa:lint ignore=too-wide
|
||||
owner @{tmp}/** rmwk,
|
||||
owner /dev/shm/** rwlk -> /dev/shm/**,
|
||||
owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ profile deb-systemd-invoke @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/systemctl rix,
|
||||
@{bin}/systemctl rix, #aa:lint ignore=transition
|
||||
@{bin}/systemd-tty-ask-password-agent Px,
|
||||
|
||||
include if exists <local/deb-systemd-invoke>
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ profile debsums @{exec_path} {
|
|||
/etc/{,**} r,
|
||||
/var/lib/{,**} r,
|
||||
/opt/{,**} r,
|
||||
/boot/{,**} r,
|
||||
@{efi}/{,**} r,
|
||||
/lib*/{,**} r,
|
||||
|
||||
include if exists <local/debsums>
|
||||
|
|
|
|||
|
|
@ -43,10 +43,11 @@ profile dpkg @{exec_path} {
|
|||
# For shell pwd
|
||||
/root/ r,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
# Install/update packages
|
||||
/ r,
|
||||
/*{,/} rw,
|
||||
/boot/** rwl -> /boot/**,
|
||||
@{efi}/** rwl -> @{efi}/**,
|
||||
/etc/** rwl -> /etc/**,
|
||||
/opt/** rwl -> /opt/**,
|
||||
/srv/** rwl -> /srv/**,
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} {
|
|||
/var/lib/dpkg/diversions-new rw,
|
||||
/var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
/etc/** rw,
|
||||
|
||||
include if exists <local/dpkg-divert>
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ profile dpkg-scripts @{exec_path} {
|
|||
/etc/** PUx,
|
||||
/usr/share/** PUx,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
# Maintainer's scripts can update a lot of files
|
||||
/ r,
|
||||
/*/ r,
|
||||
|
|
@ -65,6 +66,7 @@ profile dpkg-scripts @{exec_path} {
|
|||
@{lib}/** w,
|
||||
/opt/*/** rw,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
/etc/ r,
|
||||
/etc/** rw,
|
||||
/usr/share/*/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/ r,
|
||||
/.snapshots/ r,
|
||||
/boot/ r,
|
||||
/boot/**/ r,
|
||||
@{efi}/ r,
|
||||
@{efi}/**/ r,
|
||||
/home/ r,
|
||||
/opt/ r,
|
||||
/root/ r,
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
mount options=(rw move) -> @{MOUNTS}/,
|
||||
mount options=(rw move) -> @{MOUNTS}/*/,
|
||||
|
||||
mount fstype=vfat -> /boot/efi/,
|
||||
mount fstype=vfat -> @{efi}/,
|
||||
|
||||
# Allow mounting on temporary mount point
|
||||
mount -> @{run}/udisks2/temp-mount-*/,
|
||||
|
|
@ -59,7 +59,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
|
|||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
umount @{run}/udisks2/temp-mount-*/,
|
||||
umount /boot/efi/,
|
||||
umount @{efi}/,
|
||||
umount /media/cdrom@{int}/,
|
||||
|
||||
signal receive set=int peer=@{p_systemd},
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} {
|
|||
@{sh_path} rix,
|
||||
@{bin}/dconf rix,
|
||||
@{bin}/install rix,
|
||||
@{bin}/pgrep rix,
|
||||
@{bin}/pkill rix,
|
||||
@{bin}/pgrep rCx -> pgrep,
|
||||
@{bin}/pkill rCx -> pgrep,
|
||||
@{bin}/setpriv rix,
|
||||
@{bin}/setsid rix,
|
||||
|
||||
|
|
@ -48,6 +48,15 @@ profile gdm-generate-config @{exec_path} {
|
|||
@{PROC}/tty/drivers r,
|
||||
@{PROC}/uptime r,
|
||||
|
||||
profile pgrep {
|
||||
include <abstractions/base>
|
||||
include <abstractions/app/pgrep>
|
||||
|
||||
@{bin}/pkill mr,
|
||||
|
||||
include if exists <local/gdm-generate-config_pgrep>
|
||||
}
|
||||
|
||||
include if exists <local/gdm-generate-config>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -81,6 +81,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/var/cache/fontconfig/ rw,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
# Full access to user's data
|
||||
/ r,
|
||||
/*/ r,
|
||||
|
|
@ -97,7 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{tmp}/** rw,
|
||||
|
||||
# Silence non user's data
|
||||
deny /boot/{,**} r,
|
||||
deny @{efi}/{,**} r,
|
||||
deny /opt/{,**} r,
|
||||
deny /root/{,**} r,
|
||||
deny /tmp/.* rw,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/boot/grub/grubenv rw,
|
||||
@{efi}/grub/grubenv rw,
|
||||
|
||||
include if exists <local/grub-editenv>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,12 +30,12 @@ profile grub-install @{exec_path} flags=(complain) {
|
|||
/etc/default/grub.d/{,**} r,
|
||||
/etc/default/grub r,
|
||||
|
||||
/boot/efi/ r,
|
||||
/boot/EFI/*/grubx*.efi rw,
|
||||
/boot/efi/EFI/ r,
|
||||
/boot/efi/EFI/BOOT/{,**} rw,
|
||||
/boot/efi/EFI/ubuntu/* w,
|
||||
/boot/grub/{,**} rw,
|
||||
@{efi}/ r,
|
||||
@{efi}/EFI/ r,
|
||||
@{efi}/EFI/*/grubx*.efi rw,
|
||||
@{efi}/EFI/BOOT/{,**} rw,
|
||||
@{efi}/EFI/ubuntu/* w,
|
||||
@{efi}/grub/{,**} rw,
|
||||
|
||||
@{sys}/devices/**/hid r,
|
||||
@{sys}/devices/**/path r,
|
||||
|
|
|
|||
|
|
@ -81,8 +81,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
|
|||
/.zfs/snapshot/*/etc/fstab r,
|
||||
/.zfs/snapshot/*/etc/machine-id r,
|
||||
|
||||
/boot/{,**} r,
|
||||
/boot/grub/{,**} rw,
|
||||
@{efi}/{,**} r,
|
||||
@{efi}/grub/{,**} rw,
|
||||
|
||||
/tmp/grub-*.@{rand10}/{,**} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ profile grub-mkrelpath @{exec_path} {
|
|||
/ r,
|
||||
/usr/share/grub/* r,
|
||||
|
||||
/boot/ r,
|
||||
/boot/grub/themes/{,**} r,
|
||||
@{efi}/ r,
|
||||
@{efi}/grub/themes/{,**} r,
|
||||
|
||||
/tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r,
|
||||
/tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r,
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ profile grub-multi-install @{exec_path} {
|
|||
@{lib}/terminfo/x/xterm-256color r,
|
||||
/usr/share/debconf/confmodule r,
|
||||
|
||||
/boot/grub/grub.cfg rw,
|
||||
@{efi}/grub/grub.cfg rw,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
|
|
|
|||
|
|
@ -26,9 +26,9 @@ profile grub-probe @{exec_path} {
|
|||
/usr/share/grub/* r,
|
||||
|
||||
/ r,
|
||||
/boot/ r,
|
||||
/boot/grub/ r,
|
||||
/boot/grub/themes/{,**} r,
|
||||
@{efi}/ r,
|
||||
@{efi}/grub/ r,
|
||||
@{efi}/grub/themes/{,**} r,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/devices r,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
/boot/grub/grub* rw,
|
||||
@{efi}/grub/grub* rw,
|
||||
|
||||
include if exists <local/grub-script-check>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ profile dolphin @{exec_path} {
|
|||
owner @{tmp}/{,**} rw,
|
||||
|
||||
# Silence non user's data
|
||||
deny /boot/{,**} r,
|
||||
deny @{efi}/{,**} r,
|
||||
deny /opt/{,**} r,
|
||||
deny /root/{,**} r,
|
||||
deny /tmp/.* rw,
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@ profile kioworker @{exec_path} {
|
|||
owner @{tmp}/{,**} rw,
|
||||
|
||||
# Silence non user's data
|
||||
deny /boot/{,**} r,
|
||||
deny @{efi}/{,**} r,
|
||||
deny /etc/{,**} r,
|
||||
deny /opt/{,**} r,
|
||||
deny /root/{,**} r,
|
||||
|
|
|
|||
|
|
@ -82,10 +82,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
|
|||
# Manage /boot
|
||||
/ r,
|
||||
@{efi}/ r,
|
||||
@{efi}/EFI/{,**} rw,
|
||||
@{efi}/@{hex32}/{,**} rw,
|
||||
/boot/initramfs-*.img* rw,
|
||||
/boot/vmlinuz-* r,
|
||||
@{efi}/EFI/{,**} rw,
|
||||
@{efi}/initramfs-*.img* rw,
|
||||
@{efi}/vmlinuz-* r,
|
||||
|
||||
/usr/share/systemd/bootctl/** r,
|
||||
|
||||
|
|
|
|||
|
|
@ -38,7 +38,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
# packages files
|
||||
/ r,
|
||||
/boot/{,**} r,
|
||||
@{efi}/{,**} r,
|
||||
/etc/{,**} rw,
|
||||
/opt/{,**} r,
|
||||
/srv/{,**} r,
|
||||
|
|
|
|||
|
|
@ -116,9 +116,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
|
|||
/**/ r,
|
||||
|
||||
# Install/update packages
|
||||
#aa:lint ignore=too-wide
|
||||
/ r,
|
||||
/*{,/} rw,
|
||||
/boot/** rwl -> /boot/**,
|
||||
@{efi}/** rwl -> @{efi}/**,
|
||||
/etc/** rwl -> /etc/**,
|
||||
/opt/** rwl -> /opt/**,
|
||||
/srv/** rwl -> /srv/**,
|
||||
|
|
|
|||
|
|
@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/mkinitcpio.d/*.preset{,.pacsave} rw,
|
||||
|
||||
/ r,
|
||||
/boot/ r,
|
||||
/{boot,efi}/EFI/boot/boot*.efi rw,
|
||||
/boot/initramfs-*-fallback.img rw,
|
||||
/boot/initramfs-*.img rw,
|
||||
/boot/vmlinuz-* rw,
|
||||
@{efi}/ r,
|
||||
@{efi}/EFI/boot/boot*.efi rw,
|
||||
@{efi}/initramfs-*-fallback.img rw,
|
||||
@{efi}/initramfs-*.img rw,
|
||||
@{efi}/vmlinuz-* rw,
|
||||
|
||||
/dev/tty rw,
|
||||
owner /dev/pts/@{int} rw,
|
||||
|
|
|
|||
|
|
@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
|
|||
/usr/share/mkinitcpio/*.preset r,
|
||||
/etc/mkinitcpio.d/*.preset rw,
|
||||
|
||||
/boot/vmlinuz-* rw,
|
||||
/boot/initramfs-*.img rw,
|
||||
/boot/initramfs-*-fallback.img rw,
|
||||
@{efi}/vmlinuz-* rw,
|
||||
@{efi}/initramfs-*.img rw,
|
||||
@{efi}/initramfs-*-fallback.img rw,
|
||||
|
||||
/dev/tty rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile snap-update-ns @{exec_path} {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
mount -> /boot/,
|
||||
mount -> @{efi}/,
|
||||
mount -> /snap/**,
|
||||
mount -> /tmp/.snap/**,
|
||||
mount -> /usr/**,
|
||||
|
|
|
|||
|
|
@ -133,8 +133,8 @@ profile snapd @{exec_path} {
|
|||
/tmp/syscheck-mountpoint-@{int}/{,**} rw,
|
||||
/tmp/syscheck-squashfs-@{int} rw,
|
||||
|
||||
/boot/ r,
|
||||
/boot/grub/grubenv r,
|
||||
@{efi}/ r,
|
||||
@{efi}/grub/grubenv r,
|
||||
|
||||
/ r,
|
||||
/home/ r,
|
||||
|
|
|
|||
|
|
@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
/ r,
|
||||
/boot/ r,
|
||||
/efi/ r,
|
||||
@{efi}/ r,
|
||||
/etc/fstab r,
|
||||
/usr/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@ profile grub-common.service {
|
|||
@{bin}/mkdir ix,
|
||||
@{bin}/rm ix,
|
||||
|
||||
/boot/grub/ w,
|
||||
/boot/grub/grubenv rw,
|
||||
@{efi}/grub/ w,
|
||||
@{efi}/grub/grubenv rw,
|
||||
|
||||
include if exists <local/grub-common.service>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -63,7 +63,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/ubuntu-advantage/uaclient.conf r,
|
||||
/etc/update-manager/{,**} r,
|
||||
|
||||
/boot/ r,
|
||||
@{efi}/ r,
|
||||
|
||||
/var/lib/dpkg/info/*.list r,
|
||||
/var/lib/dpkg/updates/ r,
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ profile fsck @{exec_path} flags=(attach_disconnected) {
|
|||
# When a mount dir is passed to fsck as an argument.
|
||||
@{HOME}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
/boot/ r,
|
||||
@{efi}/ r,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
@{run}/systemd/fsck.progress rw,
|
||||
|
|
|
|||
|
|
@ -22,8 +22,7 @@ profile fstrim @{exec_path} flags=(attach_disconnected) {
|
|||
@{MOUNTDIRS}/ r,
|
||||
@{MOUNTS}/ r,
|
||||
/ r,
|
||||
/boot/ r,
|
||||
/boot/efi/ r,
|
||||
@{efi}/ r,
|
||||
/var/ r,
|
||||
|
||||
@{PROC}/@{pid}/mountinfo r,
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
# Silence non user's data
|
||||
deny /boot/{,**} r,
|
||||
deny @{efi}/{,**} r,
|
||||
deny /opt/{,**} r,
|
||||
deny /root/{,**} r,
|
||||
deny /tmp/.* rw,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ profile baobab @{exec_path} {
|
|||
/ r,
|
||||
/** r,
|
||||
|
||||
deny /boot/{,**} r,
|
||||
deny @{efi}/{,**} r,
|
||||
|
||||
include if exists <local/baobab>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ profile deluser @{exec_path} {
|
|||
|
||||
owner /etc/shadow r,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
# This is for the "--remove-all-files" flag, which it used to remove all files owned by the user
|
||||
# that's going to be deleted. Basically it scans all the files in the system in each dir and look
|
||||
# for matches. This also includes files required by the "--remove-home" flag as well as the
|
||||
|
|
|
|||
|
|
@ -117,7 +117,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/modules/*/modules.* rw,
|
||||
/var/lib/dkms/**/module/*.ko* r,
|
||||
|
||||
owner /boot/System.map-* r,
|
||||
owner @{efi}/System.map-* r,
|
||||
|
||||
owner @{tmp}/tmp.@{rand10} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ profile dlocate @{exec_path} {
|
|||
@{bin}/md5sum mr,
|
||||
|
||||
# For the md5 check
|
||||
/boot/** r,
|
||||
@{efi}/** r,
|
||||
/usr/** r,
|
||||
|
||||
include if exists <local/dlocate_md5sum>
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ profile etckeeper @{exec_path} {
|
|||
/etc/etckeeper/*.d/* rix,
|
||||
/etc/etckeeper/daily rix,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
/etc/ rw,
|
||||
/etc/** rwkl -> /etc/**,
|
||||
|
||||
|
|
|
|||
|
|
@ -92,7 +92,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/,
|
||||
|
||||
mount /dev/{s,v}d[a-z]*@{int} -> /boot/,
|
||||
mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/,
|
||||
mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/,
|
||||
mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/,
|
||||
|
||||
|
|
@ -108,7 +108,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
umount /tmp/gparted-*/,
|
||||
|
||||
umount /boot/,
|
||||
umount @{efi}/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
|
||||
|
|
|
|||
|
|
@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} {
|
|||
|
||||
@{sys}/kernel/kexec_loaded r,
|
||||
|
||||
owner /boot/grub/{grub.cfg,grubenv} r,
|
||||
owner @{efi}/grub/{grub.cfg,grubenv} r,
|
||||
|
||||
@{PROC}/cmdline r,
|
||||
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ profile ioping @{exec_path} {
|
|||
/bin/* r,
|
||||
/sbin/* r,
|
||||
/etc/** r,
|
||||
/boot/** r,
|
||||
@{efi}/** r,
|
||||
/opt/** r,
|
||||
/var/** r,
|
||||
@{MOUNTS}/** r,
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ profile kconfig-hardened-check @{exec_path} {
|
|||
|
||||
|
||||
# The usual kernel config locations
|
||||
/boot/config-* r,
|
||||
@{efi}/config-* r,
|
||||
@{PROC}/config.gz r,
|
||||
|
||||
# This is for kernels, which are built manually
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ profile kernel @{exec_path} {
|
|||
|
||||
# For shell pwd
|
||||
/ r,
|
||||
/boot/ r,
|
||||
@{efi}/ r,
|
||||
|
||||
/etc/apt/apt.conf.d/ r,
|
||||
/etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw,
|
||||
|
|
|
|||
|
|
@ -44,15 +44,12 @@ profile kernel-install @{exec_path} {
|
|||
|
||||
/ r,
|
||||
|
||||
@{efi}/@{hex32}/** rw,
|
||||
@{efi}/loader/entries.srel r,
|
||||
|
||||
owner /boot/{vmlinuz,initrd.img}-* r,
|
||||
owner /boot/[a-f0-9]*/*/ rw,
|
||||
owner /boot/[a-f0-9]*/*/{linux,initrd} w,
|
||||
owner /boot/loader/ rw,
|
||||
owner /boot/loader/entries/ rw,
|
||||
owner /boot/loader/entries/*.conf w,
|
||||
@{efi}/@{hex32}/** rw,
|
||||
@{efi}/loader/entries.srel r,
|
||||
owner @{efi}/{vmlinuz,initrd.img}-* r,
|
||||
owner @{efi}/loader/ rw,
|
||||
owner @{efi}/loader/entries/ rw,
|
||||
owner @{efi}/loader/entries/*.conf w,
|
||||
|
||||
owner /tmp/kernel-install.staging.@{rand6}/{,**} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner /boot/{initrd.img,vmlinuz}-* r,
|
||||
owner @{efi}/{initrd.img,vmlinuz}-* r,
|
||||
|
||||
@{sys}/firmware/memmap/ r,
|
||||
@{sys}/firmware/memmap/@{int}/{start,end,type} r,
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
|
|||
owner /var/tmp/*modules*/{,**} rw,
|
||||
owner /var/tmp/dracut.*/{,**} rw,
|
||||
|
||||
owner /boot/System.map-* r,
|
||||
owner @{efi}/System.map-* r,
|
||||
owner @{tmp}/mkinitcpio.*/{,**} rw,
|
||||
|
||||
# For local kernel build
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ profile linux-version @{exec_path} {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/boot/ r,
|
||||
@{efi}/ r,
|
||||
|
||||
include if exists <local/linux-version>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -87,9 +87,9 @@ profile mkinitramfs @{exec_path} {
|
|||
|
||||
/etc/modprobe.d/{,*.conf} r,
|
||||
|
||||
/boot/ r,
|
||||
owner /boot/config-* r,
|
||||
owner /boot/initrd.img-*.new rw,
|
||||
@{efi}/ r,
|
||||
owner @{efi}/config-* r,
|
||||
owner @{efi}/initrd.img-*.new rw,
|
||||
|
||||
owner /var/lib/kdump/initramfs-tools/** rw,
|
||||
owner /var/lib/kdump/initrd.* rw,
|
||||
|
|
|
|||
|
|
@ -26,9 +26,9 @@ profile needrestart-iucode-scan-versions @{exec_path} {
|
|||
/etc/default/intel-microcode r,
|
||||
/etc/needrestart/iucode.sh r,
|
||||
|
||||
/boot/amd-ucode.img r,
|
||||
/boot/intel-ucode.img r,
|
||||
/boot/early_ucode.cpio r,
|
||||
@{efi}/amd-ucode.img r,
|
||||
@{efi}/intel-ucode.img r,
|
||||
@{efi}/early_ucode.cpio r,
|
||||
|
||||
@{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r,
|
||||
|
||||
|
|
|
|||
|
|
@ -26,8 +26,9 @@ profile needrestart-vmlinuz-get-version @{exec_path} {
|
|||
@{bin}/which{,.debianutils} rPx,
|
||||
@{bin}/xz rix,
|
||||
|
||||
/boot/intel-ucode.img r,
|
||||
/boot/vmlinuz* r,
|
||||
@{efi}/amd-ucode.img r,
|
||||
@{efi}/intel-ucode.img r,
|
||||
@{efi}/vmlinuz* r,
|
||||
|
||||
owner @{tmp}/tmp.@{rand10} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -63,9 +63,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{MOUNTS}/ r,
|
||||
/ r,
|
||||
/boot/{efi/,} r,
|
||||
/boot/{efi/,}EFI/ r,
|
||||
/boot/{efi/,}EFI/**/ r,
|
||||
@{efi}/ r,
|
||||
@{efi}/EFI/ r,
|
||||
@{efi}/EFI/**/ r,
|
||||
|
||||
owner @{tmp}/os-prober.*/{,**} rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -74,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
|
||||
/usr/share/libalpm/scripts/* rPx,
|
||||
|
||||
#aa:lint ignore=too-wide
|
||||
# Install/update packages
|
||||
/ r,
|
||||
/*{,/} rw,
|
||||
/boot/** rwl -> /boot/**,
|
||||
@{efi}/** rwl -> @{efi}/**,
|
||||
/etc/** rwl -> /etc/**,
|
||||
/opt/** rwl -> /opt/**,
|
||||
/srv/** rwl -> /srv/**,
|
||||
|
|
|
|||
|
|
@ -89,8 +89,10 @@ profile spectre-meltdown-checker @{exec_path} {
|
|||
owner /dev/cpu/@{int}/msr rw,
|
||||
owner /dev/kmsg r,
|
||||
|
||||
/boot/ r,
|
||||
/boot/{config,vmlinuz,System.map}-* r,
|
||||
@{efi}/ r,
|
||||
@{efi}/config r,
|
||||
@{efi}/System.map-* r,
|
||||
@{efi}/vmlinuz-* r,
|
||||
|
||||
@{sys}/devices/system/cpu/vulnerabilities/* r,
|
||||
@{sys}/module/kvm_intel/parameters/ept r,
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@ profile ucf @{exec_path} {
|
|||
/usr/share/** r,
|
||||
|
||||
# For writing new config files
|
||||
/etc/** rw,
|
||||
/etc/** rw, #aa:lint ignore=too-wide
|
||||
|
||||
# For shell pwd
|
||||
/ r,
|
||||
|
|
|
|||
|
|
@ -31,8 +31,8 @@ profile unmkinitramfs @{exec_path} {
|
|||
@{bin}/rm rix,
|
||||
@{bin}/xzcat rix,
|
||||
|
||||
/boot/ r,
|
||||
owner /boot/initrd.img-* r,
|
||||
@{efi}/ r,
|
||||
owner @{efi}/initrd.img-* r,
|
||||
/tmp/ r,
|
||||
owner @{tmp}/initrd.img-* r,
|
||||
/mnt/ r,
|
||||
|
|
|
|||
|
|
@ -50,9 +50,9 @@ profile update-initramfs @{exec_path} {
|
|||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
owner /boot/ r,
|
||||
owner /boot/initrd.img-* rw,
|
||||
owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*,
|
||||
owner @{efi}/ r,
|
||||
owner @{efi}/initrd.img-* rw,
|
||||
owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*,
|
||||
|
||||
include if exists <local/update-initramfs>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,8 +24,8 @@ profile updatedb-mlocate @{exec_path} {
|
|||
# For shell pwd
|
||||
/ r,
|
||||
|
||||
/boot/ r,
|
||||
/boot/**/ r,
|
||||
@{efi}/ r,
|
||||
@{efi}/**/ r,
|
||||
|
||||
/home/ r,
|
||||
@{HOME}/ r,
|
||||
|
|
@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} {
|
|||
/srv/**/ r,
|
||||
|
||||
# Silence the noise
|
||||
deny /efi/ r,
|
||||
deny @{efi}/ r,
|
||||
deny /hugepages/ r,
|
||||
deny /lost+found/ r,
|
||||
deny /mnt/ r,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue