felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(profile): small improvment raised by the tests.

Browse source
This commit is contained in:
Alexandre Pujol 2025-05-01 18:48:31 +02:00
parent 3a568ba307
commit 45d7cf48c4
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
8 changed files with 17 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

1
apparmor.d/groups/_full/systemd
View file

@ -152,6 +152,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
#aa:dbus own bus=system name=org.freedesktop.timesync1 #aa:dbus own bus=system name=org.freedesktop.timesync1
@{bin}/** Px, @{bin}/** Px,
@{sbin}/** Px,
@{lib}/** Px, @{lib}/** Px,
/etc/cron.*/* Px, /etc/cron.*/* Px,
/etc/init.d/* Px, /etc/init.d/* Px,

11
apparmor.d/groups/apt/deb-systemd-helper
View file

@ -16,14 +16,19 @@ profile deb-systemd-helper @{exec_path} {
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
/var/lib/systemd/deb-systemd-helper-enabled/** rw, /etc/systemd/system/* w,
/var/lib/systemd/deb-systemd-helper-masked/ rw, /etc/systemd/user/* w,
/var/lib/systemd/deb-systemd-user-helper-enabled/** rw,
/var/lib/systemd/deb-systemd-helper-enabled/{,**} rw,
/var/lib/systemd/deb-systemd-helper-masked/{,**} rw,
/var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw,
profile systemctl { profile systemctl {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/systemctl> include <abstractions/app/systemctl>
capability net_admin,
/etc/ r, /etc/ r,
/etc/systemd/ r, /etc/systemd/ r,
/etc/systemd/system/ r, /etc/systemd/system/ r,

1
apparmor.d/groups/bus/dbus-system
View file

@ -47,6 +47,7 @@ profile dbus-system flags=(attach_disconnected) {
@{exec_path} mrix, @{exec_path} mrix,
@{bin}/** PUx, @{bin}/** PUx,
@{sbin}/** PUx,
@{lib}/** PUx, @{lib}/** PUx,
/usr/share/*/** PUx, /usr/share/*/** PUx,

2
apparmor.d/groups/network/rpcbind
View file

@ -6,7 +6,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/rpcbind @{exec_path} = @{sbin}/rpcbind
profile rpcbind @{exec_path} flags=(complain) { profile rpcbind @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>

2
apparmor.d/profiles-m-r/needrestart
View file

@ -59,6 +59,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
/usr/share/** r, /usr/share/** r,
/var/lib/*/** r, /var/lib/*/** r,
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/tmp/@{word10}/ rw, /tmp/@{word10}/ rw,
owner @{run}/sshd.pid r, owner @{run}/sshd.pid r,

2
apparmor.d/profiles-m-r/run-parts
View file

@ -232,7 +232,7 @@ profile run-parts @{exec_path} {
@{sbin}/dkms rPx, @{sbin}/dkms rPx,
@{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg rPx -> child-dpkg,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/update-alternatives rPx, @{sbin}/update-alternatives rPx,
@{sbin}/update-grub rPUx, @{sbin}/update-grub rPUx,
@{sbin}/update-initramfs rPx, @{sbin}/update-initramfs rPx,
@{lib}/dkms/dkms_autoinstaller rPx, @{lib}/dkms/dkms_autoinstaller rPx,

2
apparmor.d/profiles-s-z/unhide-tcp
View file

@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} {
@{bin}/fuser rix, @{bin}/fuser rix,
@{bin}/netstat rix, @{bin}/netstat rix,
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/ss rix, @{sbin}/ss rix,
@{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/tcp{,6} r,
@{PROC}/@{pids}/net/udp{,6} r, @{PROC}/@{pids}/net/udp{,6} r,

2
apparmor.d/profiles-s-z/which
View file

@ -17,7 +17,9 @@ profile which @{exec_path} flags=(attach_disconnected) {
@{sh_path} rix, @{sh_path} rix,
@{bin}/ r, @{bin}/ r,
@{sbin}/ r,
@{bin}/**/ r, @{bin}/**/ r,
@{sbin}/**/ r,
@{lib}/ r, @{lib}/ r,
@{lib}/**/ r, @{lib}/**/ r,
/opt/**/bin/ r, /opt/**/bin/ r,