feat(profile): small update to systemd profiles.
This commit is contained in:
Alexandre Pujol
parent
38c6e35a1b
commit
28d9d48de4
6 changed files with 20 additions and 22 deletions
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/bootctl
|
||||
profile bootctl @{exec_path} flags=(attach_disconnected) {
|
||||
profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/disks-read>
|
||||
|
|
@ -17,27 +17,22 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
|
|||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
signal (send) peer=child-pager,
|
||||
signal send peer=child-pager,
|
||||
|
||||
ptrace (read) peer=unconfined,
|
||||
ptrace read peer=unconfined,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{pager_path} rPx -> child-pager,
|
||||
|
||||
@{efi}/ r,
|
||||
@{efi}/EFI/{,**} r,
|
||||
@{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
|
||||
@{efi}/EFI/BOOT/BOOTX64.EFI w,
|
||||
@{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
|
||||
@{efi}/EFI/systemd/systemd-boot*.efi w,
|
||||
@{efi}/loader/.#bootctlrandom-seed@{hex} rw,
|
||||
@{efi}/loader/.#entries.srel* w,
|
||||
@{efi}/loader/{,**} r,
|
||||
@{efi}/loader/entries.srel w,
|
||||
@{efi}/loader/random-seed w,
|
||||
@{efi}/@{hex32}/ rw,
|
||||
@{efi}/EFI/{,**} rwl,
|
||||
@{efi}/loader/ rw,
|
||||
@{efi}/loader/** rwl -> @{efi}/loader/#@{int},
|
||||
|
||||
/etc/kernel/entry-token r,
|
||||
/etc/kernel/.#entry-token@{hex16} rw,
|
||||
/etc/kernel/entry-token rw,
|
||||
/etc/machine-id r,
|
||||
/etc/machine-info r,
|
||||
|
||||
|
|
@ -63,7 +58,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw,
|
||||
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
||||
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/homectl
|
||||
profile homectl @{exec_path} {
|
||||
profile homectl @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/common/systemd>
|
||||
|
|
|
|||
|
|
@ -12,16 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
ptrace (read) peer=@{p_systemd},
|
||||
ptrace read peer=@{p_systemd},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{sbin}/blkid rPx,
|
||||
@{bin}/grep rix,
|
||||
@{bin}/systemd-detect-virt rPx,
|
||||
@{bin}/tr rix,
|
||||
@{bin}/uname rix,
|
||||
@{sbin}/blkid rPx,
|
||||
|
||||
/etc/cloud/{,**} r,
|
||||
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
|
|||
mqueue getattr type=posix /,
|
||||
mqueue r type=posix /,
|
||||
|
||||
unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system,
|
||||
unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.login1
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-networkd-wait-online
|
||||
profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
|
||||
profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/systemd/systemd-nsresourced
|
||||
profile systemd-nsresourced @{exec_path} {
|
||||
profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
|
|
@ -19,7 +19,7 @@ profile systemd-nsresourced @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework,
|
||||
@{lib}/systemd/systemd-nsresourcework ix, # no new privs
|
||||
|
||||
@{run}/systemd/nsresource/ rw,
|
||||
@{run}/systemd/nsresource/** rw,
|
||||
|
|
@ -32,6 +32,9 @@ profile systemd-nsresourced @{exec_path} {
|
|||
@{sys}/kernel/btf/vmlinux r,
|
||||
@{sys}/kernel/security/lsm r,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/pressure/* r,
|
||||
|
||||
include if exists <local/systemd-nsresourced>
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue