felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2021-11-04 18:33:25 +00:00
parent 27fe14152b
commit 477df29dd5
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
19 changed files with 39 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/pacman/mkinitcpio
View file

@ -56,6 +56,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/initcpio/busybox rix,
/{usr/,}lib/ld-*.so rix,
/{usr/,}@{multiarch}/ld-*.so rix,
/{usr/,}lib/@{multiarch}/ld-*.so rix,
/etc/fstab r,
/etc/lvm/lvm.conf r,
@ -68,6 +70,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
# Can copy any program to the initframs
/{usr/,}bin/ r,
/{usr/,}bin/[a-z0-9]* rm,
/{usr/,}lib/udev/[a-z0-9]* rm,
/{usr/,}lib/systemd/systemd-* rm,
# Manage /boot

2
apparmor.d/groups/pacman/pacman
View file

@ -93,7 +93,7 @@ profile pacman @{exec_path} {
@{PROC}/ r,
@{run}/ r,
@{sys}/ r,
@{sys}/{,**} r,
/mnt r,
# Read packages files

3
apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install
profile pacman-hook-mkinitcpio-install @{exec_path} {
profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
capability dac_read_search,
@ -37,6 +37,7 @@ profile pacman-hook-mkinitcpio-install @{exec_path} {
# Inherit Silencer
deny network inet6 stream,
deny network inet stream,
deny /apparmor/.null rw,
include if exists <local/pacman-hook-mkinitcpio-install>
}

2
apparmor.d/groups/pacman/pacman-hook-systemd
View file

@ -19,12 +19,12 @@ profile pacman-hook-systemd @{exec_path} {
/{usr/,}bin/journalctl rPx,
/{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/systemd-binfmt rPx,
/{usr/,}bin/systemd-detect-virt rPx,
/{usr/,}bin/systemd-hwdb rPx,
/{usr/,}bin/systemd-sysusers rPx,
/{usr/,}bin/systemd-tmpfiles rPx,
/{usr/,}bin/udevadm rPx,
/{usr/,}lib/systemd-binfmt rPx,
/{usr/,}lib/systemd/systemd-sysctl rPx,
/usr/ rw,