felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2021-11-09 21:49:16 +00:00
parent 5eeccc84f8
commit 2cc4d69e9e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
8 changed files with 53 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/groups/systemd/systemd-binfmt
View file

@ -10,6 +10,10 @@ include <tunables/global>
profile systemd-binfmt @{exec_path} {
include <abstractions/base>
capability net_admin,
ptrace (read) peer=unconfined,
@{exec_path} mr,
# Config file locations
@ -18,6 +22,10 @@ profile systemd-binfmt @{exec_path} {
/usr/lib/binfmt.d/*.conf r,
owner @{PROC}/@{pid}/stat r,
@{PROC}/1/environ r,
@{PROC}/cmdline r,
@{PROC}/sys/fs/binfmt_misc/status w,
@{PROC}/sys/kernel/osrelease r,
include if exists <local/systemd-binfmt>
}

4
apparmor.d/groups/systemd/systemd-modules-load
View file

@ -11,12 +11,8 @@ profile systemd-modules-load @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
# To load kernel modules
capability sys_module,
# Needed?
audit deny capability net_admin,
@{exec_path} mr,
@{sys}/module/*/initstate r,