felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(fsp): small improvment to systemd profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-04-13 18:34:59 +02:00 committed by Alex
parent 63e2b9372b
commit 379a093b10
2 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/groups/_full/systemd
View file

@ -79,8 +79,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/,
mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/,
mount fstype=vfat -> /boot/efi/,
mount /dev/** -> /boot/{,efi/},
mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**,
mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/,
@ -108,7 +108,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
remount @{run}/systemd/unit-root/{,**}, remount @{run}/systemd/unit-root/{,**},
remount /, remount /,
remount /snap/{,**}, remount /snap/{,**},
remount options=(ro bind) /boot/efi/, remount options=(ro bind) /boot/{,efi/},
remount options=(ro noexec noatime bind) /var/snap/{,**}, remount options=(ro noexec noatime bind) /var/snap/{,**},
remount options=(ro nosuid bind) /dev/, remount options=(ro nosuid bind) /dev/,
remount options=(ro nosuid nodev bind) /dev/hugepages/, remount options=(ro nosuid nodev bind) /dev/hugepages/,
@ -221,12 +221,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
@{att}/@{run}/systemd/journal/dev-log r, @{att}/@{run}/systemd/journal/dev-log r,
@{run}/ rw, @{run}/ rw,
@{run}/*.socket w, @{run}/* rw,
@{run}/*/ rw, @{run}/*/ rw,
@{run}/*/* rw, @{run}/*/* rw,
@{run}/auditd.pid r,
@{run}/credentials/{,**} rw, @{run}/credentials/{,**} rw,
@{run}/initctl rw,
@{run}/systemd/{,**} rw, @{run}/systemd/{,**} rw,
@{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+bluetooth:* r,

1
apparmor.d/groups/_full/systemd-user
View file

@ -146,6 +146,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
deny capability net_admin, deny capability net_admin,
deny capability perfmon, deny capability perfmon,
deny capability sys_admin, deny capability sys_admin,
deny capability sys_boot,
deny capability sys_resource, deny capability sys_resource,
profile systemctl { profile systemctl {