feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
f5084ca150
commit
2ea53a9dc3
14 changed files with 26 additions and 14 deletions
|
|
@ -107,7 +107,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{bin}/mandb rPx -> systemd-service,
|
@{bin}/mandb rPx -> systemd-service,
|
||||||
@{bin}/savelog rPx -> systemd-service,
|
@{bin}/savelog rPx -> systemd-service,
|
||||||
@{coreutils_path} rPx -> systemd-service,
|
@{coreutils_path} rPx -> systemd-service,
|
||||||
@{shells_path} rPx -> systemd-service,
|
@{sh_path} rPx -> systemd-service,
|
||||||
|
|
||||||
@{bin}/** PUx,
|
@{bin}/** PUx,
|
||||||
@{lib}/** PUx,
|
@{lib}/** PUx,
|
||||||
|
|
@ -128,8 +128,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
/var/tmp/ r,
|
/var/tmp/ r,
|
||||||
@{lib}/ r,
|
@{lib}/ r,
|
||||||
|
|
||||||
/usr/share/** r,
|
|
||||||
|
|
||||||
/etc/binfmt.d/{,**} r,
|
/etc/binfmt.d/{,**} r,
|
||||||
/etc/conf.d/{,**} r,
|
/etc/conf.d/{,**} r,
|
||||||
/etc/credstore.encrypted/{,**} r,
|
/etc/credstore.encrypted/{,**} r,
|
||||||
|
|
@ -139,6 +137,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
/etc/modules-load.d/{,**} r,
|
/etc/modules-load.d/{,**} r,
|
||||||
/etc/systemd/{,**} r,
|
/etc/systemd/{,**} r,
|
||||||
|
/etc/udev/hwdb.d/{,**} r,
|
||||||
|
|
||||||
/var/lib/systemd/{,**} rw,
|
/var/lib/systemd/{,**} rw,
|
||||||
owner /var/tmp/systemd-private-*/{,**} rw,
|
owner /var/tmp/systemd-private-*/{,**} rw,
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
|
||||||
@{bin}/systemctl rix,
|
@{bin}/systemctl rix,
|
||||||
@{bin}/gzip rix,
|
@{bin}/gzip rix,
|
||||||
@{coreutils_path} rix,
|
@{coreutils_path} rix,
|
||||||
@{shells_path} rmix,
|
@{sh_path} rmix,
|
||||||
|
|
||||||
# shadow.service
|
# shadow.service
|
||||||
@{bin}/pwck rPx,
|
@{bin}/pwck rPx,
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
# Profile for 'systemd --user', not PID 1 but the user manager for any UID.
|
# Profile for 'systemd --user', not PID 1 but the user manager for any UID.
|
||||||
# It does not specify an attachment path because it is intended to be used only
|
# It does not specify an attachment path because it is intended to be used only
|
||||||
# via "AppArmorProfile=systemd-user" from a systemd unit file.
|
# via "px -> systemd-user" exec transitions from the `systemd` profile.
|
||||||
|
|
||||||
# Only use this profile with a fully configured system. Otherwise it **WILL**
|
# Only use this profile with a fully configured system. Otherwise it **WILL**
|
||||||
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
|
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ profile cron-ntp @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
|
|
||||||
@{shells_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/cat rix,
|
@{bin}/cat rix,
|
||||||
@{bin}/grep rix,
|
@{bin}/grep rix,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
|
@{bin}/mkdir rix,
|
||||||
@{bin}/systemd-detect-virt rPx,
|
@{bin}/systemd-detect-virt rPx,
|
||||||
@{lib}/cloud-init/ds-identify rPUx,
|
@{lib}/cloud-init/ds-identify rPUx,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,10 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{sh_path} r,
|
@{sh_path} rix,
|
||||||
|
@{bin}/blkid rPx,
|
||||||
|
@{bin}/systemd-detect-virt rPx,
|
||||||
|
@{bin}/tr rix,
|
||||||
@{bin}/uname rix,
|
@{bin}/uname rix,
|
||||||
|
|
||||||
@{run}/cloud-init/.ds-identify.result r,
|
@{run}/cloud-init/.ds-identify.result r,
|
||||||
|
|
|
||||||
|
|
@ -113,6 +113,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
||||||
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
|
||||||
@{sys}/fs/cgroup/memory.max r,
|
@{sys}/fs/cgroup/memory.max r,
|
||||||
@{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
|
@{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
|
||||||
|
@{sys}/kernel/kexec_loaded r,
|
||||||
@{sys}/module/vt/parameters/default_utf8 r,
|
@{sys}/module/vt/parameters/default_utf8 r,
|
||||||
@{sys}/power/{state,resume_offset,resume,disk} r,
|
@{sys}/power/{state,resume_offset,resume,disk} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
|
||||||
@{sys}/devices/virtual/block/**/ r,
|
@{sys}/devices/virtual/block/**/ r,
|
||||||
@{sys}/devices/virtual/block/**/autoclear r,
|
@{sys}/devices/virtual/block/**/autoclear r,
|
||||||
@{sys}/devices/virtual/block/**/backing_file r,
|
@{sys}/devices/virtual/block/**/backing_file r,
|
||||||
@{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
|
@{sys}/devices/virtual/block/dm-@{int}/dm/name r,
|
||||||
|
|
||||||
@{PROC}/@{pid}/mountinfo r,
|
@{PROC}/@{pid}/mountinfo r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
profile cockpit-certificate-helper @{exec_path} {
|
profile cockpit-certificate-helper @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
include <abstractions/openssl>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
@ -18,11 +19,13 @@ profile cockpit-certificate-helper @{exec_path} {
|
||||||
@{bin}/id rix,
|
@{bin}/id rix,
|
||||||
@{bin}/mkdir rix,
|
@{bin}/mkdir rix,
|
||||||
@{bin}/mv rix,
|
@{bin}/mv rix,
|
||||||
|
@{bin}/openssl rix,
|
||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
@{bin}/sscg rix,
|
@{bin}/sscg rix,
|
||||||
@{bin}/tr rix,
|
@{bin}/tr rix,
|
||||||
|
|
||||||
/etc/machine-id r,
|
/etc/machine-id r,
|
||||||
|
/etc/cockpit/ws-certs.d/* w,
|
||||||
|
|
||||||
owner @{run}/cockpit/certificate-helper/{,**} rw,
|
owner @{run}/cockpit/certificate-helper/{,**} rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
@{bin}/unix_chkpwd rPx,
|
||||||
|
|
||||||
@{bin}/{,z,ba,da}sh rix,
|
@{bin}/{,z,ba,da}sh rix,
|
||||||
@{bin}/cockpit-bridge rPx,
|
@{bin}/cockpit-bridge rPx,
|
||||||
@{lib}/cockpit/cockpit-pcp rPx,
|
@{lib}/cockpit/cockpit-pcp rPx,
|
||||||
|
|
|
||||||
|
|
@ -115,7 +115,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
||||||
@{bin}/virtiofsd rux, # TODO: WIP
|
@{bin}/virtiofsd rux, # TODO: WIP
|
||||||
@{bin}/virtlogd rPx,
|
@{bin}/virtlogd rPx,
|
||||||
|
|
||||||
@{shells_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/ip rix,
|
@{bin}/ip rix,
|
||||||
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
|
@{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper
|
||||||
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
|
@{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper
|
||||||
|
|
|
||||||
|
|
@ -27,12 +27,13 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/desktop>
|
include <abstractions/desktop>
|
||||||
include <abstractions/enchant>
|
include <abstractions/enchant>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
include <abstractions/graphics-full>
|
include <abstractions/graphics>
|
||||||
include <abstractions/gstreamer>
|
include <abstractions/gstreamer>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
include <abstractions/ssl_certs>
|
include <abstractions/ssl_certs>
|
||||||
include <abstractions/thumbnails-cache-read>
|
include <abstractions/thumbnails-cache-read>
|
||||||
include <abstractions/user-download-strict>
|
include <abstractions/user-download-strict>
|
||||||
|
include <abstractions/user-read>
|
||||||
|
|
||||||
# userns,
|
# userns,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -30,16 +30,17 @@ profile ip @{exec_path} flags=(attach_disconnected) {
|
||||||
umount /sys/,
|
umount /sys/,
|
||||||
|
|
||||||
@{exec_path} mrix,
|
@{exec_path} mrix,
|
||||||
@{shells_path} rix,
|
@{sh_path} rix,
|
||||||
|
|
||||||
/ r,
|
/ r,
|
||||||
|
|
||||||
/etc/iproute2/{,**} r,
|
/etc/iproute2/{,**} r,
|
||||||
/etc/netns/*/ r,
|
/etc/netns/*/ r,
|
||||||
|
|
||||||
owner @{run}/netns/ rwk,
|
/usr/share/iproute2/{,**} r,
|
||||||
|
|
||||||
@{run}/netns/* rw,
|
@{run}/netns/* rw,
|
||||||
owner @{run}/netns/ rw,
|
owner @{run}/netns/ rwk,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/cgroup r,
|
owner @{PROC}/@{pid}/cgroup r,
|
||||||
owner @{PROC}/@{pid}/net/dev_mcast r,
|
owner @{PROC}/@{pid}/net/dev_mcast r,
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,7 @@ profile pkttyagent @{exec_path} {
|
||||||
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
@{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
|
||||||
@{lib}/polkit-agent-helper-[0-9] rPx,
|
@{lib}/polkit-agent-helper-[0-9] rPx,
|
||||||
|
|
||||||
|
owner @{PROC}/@{pid}/fdinfo/@{int} r,
|
||||||
owner @{PROC}/@{pids}/stat r,
|
owner @{PROC}/@{pids}/stat r,
|
||||||
|
|
||||||
/dev/tty rw,
|
/dev/tty rw,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue