feat(profile): small update to systemd profiles.
This commit is contained in:
Alexandre Pujol
parent
38c6e35a1b
commit
28d9d48de4
6 changed files with 20 additions and 22 deletions
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/bootctl
|
@{exec_path} = @{bin}/bootctl
|
||||||
profile bootctl @{exec_path} flags=(attach_disconnected) {
|
profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
|
|
@ -17,27 +17,22 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
capability sys_resource,
|
capability sys_resource,
|
||||||
|
|
||||||
signal (send) peer=child-pager,
|
signal send peer=child-pager,
|
||||||
|
|
||||||
ptrace (read) peer=unconfined,
|
ptrace read peer=unconfined,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{pager_path} rPx -> child-pager,
|
@{pager_path} rPx -> child-pager,
|
||||||
|
|
||||||
@{efi}/ r,
|
@{efi}/ r,
|
||||||
@{efi}/EFI/{,**} r,
|
@{efi}/@{hex32}/ rw,
|
||||||
@{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
|
@{efi}/EFI/{,**} rwl,
|
||||||
@{efi}/EFI/BOOT/BOOTX64.EFI w,
|
@{efi}/loader/ rw,
|
||||||
@{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
|
@{efi}/loader/** rwl -> @{efi}/loader/#@{int},
|
||||||
@{efi}/EFI/systemd/systemd-boot*.efi w,
|
|
||||||
@{efi}/loader/.#bootctlrandom-seed@{hex} rw,
|
|
||||||
@{efi}/loader/.#entries.srel* w,
|
|
||||||
@{efi}/loader/{,**} r,
|
|
||||||
@{efi}/loader/entries.srel w,
|
|
||||||
@{efi}/loader/random-seed w,
|
|
||||||
|
|
||||||
/etc/kernel/entry-token r,
|
/etc/kernel/.#entry-token@{hex16} rw,
|
||||||
|
/etc/kernel/entry-token rw,
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/machine-info r,
|
/etc/machine-info r,
|
||||||
|
|
||||||
|
|
@ -63,7 +58,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
|
||||||
@{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
|
@{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
|
||||||
@{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
|
@{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
|
||||||
@{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
|
@{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
|
||||||
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r,
|
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw,
|
||||||
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
|
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
|
||||||
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
||||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/homectl
|
@{exec_path} = @{bin}/homectl
|
||||||
profile homectl @{exec_path} {
|
profile homectl @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/bus-system>
|
include <abstractions/bus-system>
|
||||||
include <abstractions/common/systemd>
|
include <abstractions/common/systemd>
|
||||||
|
|
|
||||||
|
|
@ -12,16 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
ptrace (read) peer=@{p_systemd},
|
ptrace read peer=@{p_systemd},
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{sbin}/blkid rPx,
|
|
||||||
@{bin}/grep rix,
|
@{bin}/grep rix,
|
||||||
@{bin}/systemd-detect-virt rPx,
|
@{bin}/systemd-detect-virt rPx,
|
||||||
@{bin}/tr rix,
|
@{bin}/tr rix,
|
||||||
@{bin}/uname rix,
|
@{bin}/uname rix,
|
||||||
|
@{sbin}/blkid rPx,
|
||||||
|
|
||||||
/etc/cloud/{,**} r,
|
/etc/cloud/{,**} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
|
||||||
mqueue getattr type=posix /,
|
mqueue getattr type=posix /,
|
||||||
mqueue r type=posix /,
|
mqueue r type=posix /,
|
||||||
|
|
||||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system,
|
unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system,
|
||||||
|
|
||||||
#aa:dbus own bus=system name=org.freedesktop.login1
|
#aa:dbus own bus=system name=org.freedesktop.login1
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{lib}/systemd/systemd-networkd-wait-online
|
@{exec_path} = @{lib}/systemd/systemd-networkd-wait-online
|
||||||
profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
|
profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/common/systemd>
|
include <abstractions/common/systemd>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{lib}/systemd/systemd-nsresourced
|
@{exec_path} = @{lib}/systemd/systemd-nsresourced
|
||||||
profile systemd-nsresourced @{exec_path} {
|
profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/common/systemd>
|
include <abstractions/common/systemd>
|
||||||
|
|
||||||
|
|
@ -19,7 +19,7 @@ profile systemd-nsresourced @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework,
|
@{lib}/systemd/systemd-nsresourcework ix, # no new privs
|
||||||
|
|
||||||
@{run}/systemd/nsresource/ rw,
|
@{run}/systemd/nsresource/ rw,
|
||||||
@{run}/systemd/nsresource/** rw,
|
@{run}/systemd/nsresource/** rw,
|
||||||
|
|
@ -32,6 +32,9 @@ profile systemd-nsresourced @{exec_path} {
|
||||||
@{sys}/kernel/btf/vmlinux r,
|
@{sys}/kernel/btf/vmlinux r,
|
||||||
@{sys}/kernel/security/lsm r,
|
@{sys}/kernel/security/lsm r,
|
||||||
|
|
||||||
|
@{PROC}/@{pid}/cgroup r,
|
||||||
|
@{PROC}/pressure/* r,
|
||||||
|
|
||||||
include if exists <local/systemd-nsresourced>
|
include if exists <local/systemd-nsresourced>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue