feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
a49d83993a
commit
31bc5a6053
16 changed files with 56 additions and 103 deletions
|
|
@ -1,17 +1,17 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Mikhail Morfikov
|
||||
# Copyright (C) 2021-20223 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/blueman-mechanism
|
||||
@{exec_path} += @{lib}/blueman/blueman-mechanism
|
||||
@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism
|
||||
profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/python>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
capability mknod,
|
||||
capability net_admin,
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/borg
|
||||
profile borg @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/python>
|
||||
|
||||
capability dac_read_search,
|
||||
|
|
@ -20,6 +21,11 @@ profile borg @{exec_path} {
|
|||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
mount fstype=fuse -> @{MOUNTS}/,
|
||||
mount fstype=fuse -> @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
@{bin}/ r,
|
||||
|
|
@ -30,42 +36,10 @@ profile borg @{exec_path} {
|
|||
@{bin}/ldconfig rix,
|
||||
@{bin}/uname rix,
|
||||
|
||||
@{bin}/pass rPUx,
|
||||
@{bin}/ssh rPx,
|
||||
@{bin}/ccache rCx -> ccache,
|
||||
@{bin}/fusermount{,3} rCx -> fusermount,
|
||||
|
||||
mount fstype=fuse -> @{MOUNTS}/,
|
||||
mount fstype=fuse -> @{MOUNTS}/*/,
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
||||
@{run}/systemd/userdb/ r,
|
||||
@{run}/resolvconf/resolv.conf r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/borg/ rw,
|
||||
owner @{user_cache_dirs}/borg/** rw,
|
||||
|
||||
owner @{user_config_dirs}/borg/ rw,
|
||||
owner @{user_config_dirs}/borg/** rw,
|
||||
|
||||
# If /tmp/ isn't accessible, then /var/tmp/ is used.
|
||||
owner /tmp/* rw,
|
||||
owner /tmp/tmp*/ rw,
|
||||
owner /tmp/tmp*/idx rw,
|
||||
owner /tmp/tmp*/file rw,
|
||||
owner /tmp/borg-cache-*/ rw,
|
||||
owner /tmp/borg-cache-*/* rw,
|
||||
owner /var/tmp/* rw,
|
||||
owner /var/tmp/tmp*/ rw,
|
||||
owner /var/tmp/tmp*/idx rw,
|
||||
owner /var/tmp/tmp*/file rw,
|
||||
@{bin}/pass rPx,
|
||||
@{bin}/ssh rPx,
|
||||
|
||||
# Dirs that can be backed up
|
||||
/ r,
|
||||
|
|
@ -80,13 +54,28 @@ profile borg @{exec_path} {
|
|||
owner @{MOUNTS}/ r,
|
||||
owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**,
|
||||
|
||||
# borg serve on server's side
|
||||
owner /home/borg/*/ rw,
|
||||
owner /home/borg/*/{,**} rw,
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/borg/ rw,
|
||||
owner @{user_cache_dirs}/borg/** rw,
|
||||
|
||||
# For exporting the key
|
||||
owner /**/key w,
|
||||
owner @{user_config_dirs}/borg/ rw,
|
||||
owner @{user_config_dirs}/borg/** rw,
|
||||
|
||||
# If /tmp/ isn't accessible, then /var/tmp/ is used.
|
||||
owner /tmp/* rw,
|
||||
owner /tmp/borg-cache-*/ rw,
|
||||
owner /tmp/borg-cache-*/* rw,
|
||||
owner /tmp/tmp*/ rw,
|
||||
owner /tmp/tmp*/file rw,
|
||||
owner /tmp/tmp*/idx rw,
|
||||
owner /var/tmp/* rw,
|
||||
owner /var/tmp/tmp*/ rw,
|
||||
owner /var/tmp/tmp*/file rw,
|
||||
owner /var/tmp/tmp*/idx rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
profile ccache {
|
||||
include <abstractions/base>
|
||||
|
|
@ -97,29 +86,31 @@ profile borg @{exec_path} {
|
|||
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
|
||||
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
|
||||
|
||||
/media/ccache/*/** rw,
|
||||
|
||||
/etc/debian_version r,
|
||||
|
||||
@{MOUNTS}/** rw,
|
||||
|
||||
include if exists <local/borg_ccache>
|
||||
}
|
||||
|
||||
profile fusermount {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# To mount anything:
|
||||
capability sys_admin,
|
||||
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
|
||||
@{bin}/fusermount{,3} mr,
|
||||
|
||||
/etc/fuse.conf r,
|
||||
|
||||
umount @{MOUNTS}/,
|
||||
umount @{MOUNTS}/*/,
|
||||
|
||||
@{PROC}/@{pids}/mounts r,
|
||||
|
||||
/dev/fuse rw,
|
||||
|
||||
include if exists <local/borg_fusermount>
|
||||
}
|
||||
|
||||
include if exists <usr/borg.d>
|
||||
|
|
|
|||
|
|
@ -16,6 +16,9 @@ profile cups-pk-helper-mechanism @{exec_path} {
|
|||
capability dac_read_search,
|
||||
capability sys_nice,
|
||||
|
||||
network inet stream,
|
||||
network inet6 stream,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.opensuse.CupsPkHelper.Mechanism,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue