feat(profile): restrict some access to @{PROC}/@{pid}.

2024-09-25 14:00:29 +01:00 · 2024-09-25 14:00:29 +01:00 · 28b32f1ae3
commit 28b32f1ae3
parent 90a8e44d20
10 changed files with 31 additions and 22 deletions
--- a/apparmor.d/profiles-m-r/protonmail-bridge-core
+++ b/apparmor.d/profiles-m-r/protonmail-bridge-core
@ -44,8 +44,8 @@ profile protonmail-bridge-core @{exec_path} {
  owner /var/tmp/etilqs_@{hex16} rw,

  @{PROC}/ r,
+  @{PROC}/1/cgroup r,
  @{PROC}/sys/net/core/somaxconn r,
-  @{PROC}/@{pid}/cgroup r,

  deny @{bin}/pass x,
  deny owner @{user_password_store_dirs}/** r,