felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2021-11-04 18:33:25 +00:00
parent 27fe14152b
commit 477df29dd5
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
19 changed files with 39 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/systemd/systemd-analyze
View file

@ -1,6 +1,6 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
@ -12,9 +12,8 @@ profile systemd-analyze @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
# Needed for the prctl's PR_SET_MM option:
# prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted)
capability sys_resource,
capability net_admin,
signal (send) peer=child-pager,

5
apparmor.d/groups/systemd/systemd-logind
View file

@ -41,9 +41,8 @@ profile systemd-logind @{exec_path} flags=(complain) {
@{run}/udev/data/c10:[0-9]* r,
@{run}/udev/data/c13:[0-9]* r, # for /dev/input/*
@{run}/udev/data/c116:[0-9]* r, # for ALSA
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
@{run}/udev/data/c237:[0-9]* r,
@{run}/udev/data/c238:[0-9]* r,
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
@{run}/udev/data/c23[0-9]:[0-9]* r,
@{run}/udev/data/+input* r, # for mouse, keyboard, touchpad
@{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs

5
apparmor.d/groups/systemd/systemd-sysctl
View file

@ -7,7 +7,7 @@ abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-sysctl
profile systemd-sysctl @{exec_path} {
profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/systemd-common>
@ -26,5 +26,8 @@ profile systemd-sysctl @{exec_path} {
/etc/sysctl.conf r,
# Inherit Silencer
deny /apparmor/.null rw,
include if exists <local/systemd-sysctl>
}