felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

General updates

Browse source
This commit is contained in:
Jeroen Rijken 2022-07-23 13:22:56 +02:00 committed by Alex
parent 33da7af6e8
commit 465a31c638
9 changed files with 78 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/profiles-m-r/mount
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -26,6 +27,8 @@ profile mount @{exec_path} flags=(complain) {
network inet stream,
network inet6 stream,
ptrace (read) peer=k3s,
signal (receive) set=(term, kill),
@{exec_path} mr,

2
apparmor.d/profiles-m-r/newgidmap
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,6 +12,7 @@ profile newgidmap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_override,
capability setgid,
capability sys_admin,

2
apparmor.d/profiles-m-r/newuidmap
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -11,6 +12,7 @@ profile newuidmap @{exec_path} {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability dac_override,
capability setuid,
capability sys_admin,

3
apparmor.d/profiles-m-r/rngd
View file

@ -1,12 +1,13 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/rngd
@{exec_path} = /{usr/,}{s,}bin/rngd
profile rngd @{exec_path} {
include <abstractions/base>
include <abstractions/devices-usb>