felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): use the new hex variable.

Browse source
This commit is contained in:
Alexandre Pujol 2022-09-03 14:43:34 +01:00
parent 5d0c521e44
commit 3b56d3ff0f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
70 changed files with 142 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

8
apparmor.d/groups/systemd/bootctl
View file

@ -24,11 +24,11 @@ profile bootctl @{exec_path} {
/{boot,efi}/ r,
/{boot,efi}/EFI/{,**} r,
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
/{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
/{boot,efi}/EFI/systemd/systemd-boot*.efi w,
/{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
/{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
/{boot,efi}/loader/.#entries.srel* w,
/{boot,efi}/loader/{,**} r,
/{boot,efi}/loader/entries.srel w,
@ -47,7 +47,7 @@ profile bootctl @{exec_path} {
@{sys}/firmware/dmi/entries/*/raw r,
@{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
@{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
@{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,

10
apparmor.d/groups/systemd/coredumpctl
View file

@ -26,13 +26,13 @@ profile coredumpctl @{exec_path} flags=(complain) {
owner /var/tmp/coredump-* rw,
/var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst r,
/var/lib/systemd/coredump/core.*.[0-9]*.@{hex}.[0-9]*.[0-9]*.zst r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/1/cgroup r,

12
apparmor.d/groups/systemd/journalctl
View file

@ -34,12 +34,12 @@ profile journalctl @{exec_path} {
/var/lib/systemd/catalog/.#database* rw,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,
owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
owner /{run,var}/log/journal/@{hex}/fss wl -> /var/log/journal/@{hex}/fss.tmp.*,
owner /{run,var}/log/journal/@{hex}/fss.tmp.* rw,
owner /var/tmp/#[0-9]* rw,
@{run}/host/container-manager r,

8
apparmor.d/groups/systemd/networkctl
View file

@ -42,10 +42,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
# To be able to read logs
@{run}/log/ r,
/{run,var}/log/journal/ r,
/{run,var}/log/journal/[0-9a-f]*/ r,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system.journal* r,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
/{run,var}/log/journal/@{hex}/ r,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* r,
/{run,var}/log/journal/@{hex}/system.journal* r,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* r,
@{run}/systemd/netif/links/[0-9]* r,
@{run}/systemd/netif/state r,

10
apparmor.d/groups/systemd/systemd-journald
View file

@ -30,11 +30,11 @@ profile systemd-journald @{exec_path} {
@{run}/log/ rw,
/{run,var}/log/journal/ rw,
/{run,var}/log/journal/[0-9a-f]*/ rw,
/{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/system.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
/{run,var}/log/journal/[0-9a-f]*/fss rw,
/{run,var}/log/journal/@{hex}/ rw,
/{run,var}/log/journal/@{hex}/user-@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/system.journal* rw,
/{run,var}/log/journal/@{hex}/system@@{hex}.journal* rw,
/{run,var}/log/journal/@{hex}/fss rw,
owner @{run}/systemd/journal/{,**} rw,
owner @{run}/systemd/notify rw,