feat(profile): parser: move sysctl to its own subprofile.

2025-08-17 17:16:24 +02:00 · 2025-08-17 17:16:24 +02:00 · 4dba131fb3
commit 4dba131fb3
parent 7e79d5abef
1 changed files with 11 additions and 2 deletions
--- a/apparmor.d/groups/apparmor/apparmor.systemd
+++ b/apparmor.d/groups/apparmor/apparmor.systemd
@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} {
  @{bin}/sed                  rix,
  @{bin}/cat                  rix,
  @{bin}/sort                 rix,
-  @{sbin}/sysctl              rix,
+  @{sbin}/sysctl              rCx -> sysctl,
  @{bin}/systemd-detect-virt  rPx,
  @{bin}/xargs                rix,

@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} {
  @{PROC}/@{pids}/maps r,
  @{PROC}/@{pids}/mounts r,
  @{PROC}/mounts r,
-  @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,

  /dev/tty rw,

+  profile sysctl {
+    include <abstractions/base>
+
+    @{sbin}/sysctl mr,
+
+    @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
+
+    include if exists <local/apparmor.systemd_sysctl>
+  }
+
  include if exists <local/apparmor.systemd>
 }