felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): parser: move sysctl to its own subprofile.

Browse source
This commit is contained in:
Alexandre Pujol 2025-08-17 17:16:24 +02:00
parent 7e79d5abef
commit 4dba131fb3
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 11 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

13
apparmor.d/groups/apparmor/apparmor.systemd
View file

@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} {
@{bin}/sed rix, @{bin}/sed rix,
@{bin}/cat rix, @{bin}/cat rix,
@{bin}/sort rix, @{bin}/sort rix,
@{sbin}/sysctl rix, @{sbin}/sysctl rCx -> sysctl,
@{bin}/systemd-detect-virt rPx, @{bin}/systemd-detect-virt rPx,
@{bin}/xargs rix, @{bin}/xargs rix,
@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} {
@{PROC}/@{pids}/maps r, @{PROC}/@{pids}/maps r,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
@{PROC}/mounts r, @{PROC}/mounts r,
@{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
/dev/tty rw, /dev/tty rw,
profile sysctl {
include <abstractions/base>
@{sbin}/sysctl mr,
@{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
include if exists <local/apparmor.systemd_sysctl>
}
include if exists <local/apparmor.systemd> include if exists <local/apparmor.systemd>
} }