fix(profile): small improvment raised by the tests.

2025-05-01 18:48:31 +02:00 · 2025-05-01 18:48:31 +02:00 · 45d7cf48c4
commit 45d7cf48c4
parent 3a568ba307
8 changed files with 17 additions and 6 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -152,6 +152,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  #aa:dbus own bus=system name=org.freedesktop.timesync1

  @{bin}/**                         Px,
+  @{sbin}/**                        Px,
  @{lib}/**                         Px,
  /etc/cron.*/*                     Px,
  /etc/init.d/*                     Px,
--- a/apparmor.d/groups/apt/deb-systemd-helper
+++ b/apparmor.d/groups/apt/deb-systemd-helper
@ -16,14 +16,19 @@ profile deb-systemd-helper @{exec_path} {

  @{bin}/systemctl rCx -> systemctl,

-  /var/lib/systemd/deb-systemd-helper-enabled/** rw,
-  /var/lib/systemd/deb-systemd-helper-masked/ rw,
-  /var/lib/systemd/deb-systemd-user-helper-enabled/** rw,
+  /etc/systemd/system/* w,
+  /etc/systemd/user/* w,
+
+  /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw,
+  /var/lib/systemd/deb-systemd-helper-masked/{,**} rw,
+  /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw,

  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>

+    capability net_admin,
+
    /etc/ r,
    /etc/systemd/ r,
    /etc/systemd/system/ r,
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -47,6 +47,7 @@ profile dbus-system flags=(attach_disconnected) {
  @{exec_path} mrix,

  @{bin}/**                   PUx,
+  @{sbin}/**                  PUx,
  @{lib}/**                   PUx,
  /usr/share/*/**             PUx,

--- a/apparmor.d/groups/network/rpcbind
+++ b/apparmor.d/groups/network/rpcbind
@ -6,7 +6,7 @@ abi <abi/4.0>,

 include <tunables/global>

-@{exec_path} = @{bin}/rpcbind
+@{exec_path} = @{sbin}/rpcbind
 profile rpcbind @{exec_path} flags=(complain) {
  include <abstractions/base>