fix(profile): multiple minor fixes.

fix #493 #480
2024-09-17 12:55:08 +01:00 · 2024-09-17 12:55:08 +01:00 · 516a1fd36d
commit 516a1fd36d
parent 7858cae330
9 changed files with 24 additions and 2 deletions
--- a/apparmor.d/profiles-m-r/nft
+++ b/apparmor.d/profiles-m-r/nft
@ -20,6 +20,8 @@ profile nft @{exec_path} {

  @{exec_path} mr,

+  /usr/share/iproute2/{,**} r,
+
  /etc/iproute2/** r,
  /etc/nftables.conf r,
  /etc/nftables/{,**} r,
--- a/apparmor.d/profiles-m-r/pidof
+++ b/apparmor.d/profiles-m-r/pidof
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/pidof
 profile pidof @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability sys_ptrace,

--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@ -22,6 +22,7 @@ profile resolvconf @{exec_path} {
  @{bin}/rm          rix,
  @{bin}/run-parts   rix,
  @{bin}/sed         rix,
+  @{bin}/systemctl   rCx -> systemctl,
  @{lib}/resolvconf/list-records rix,

  /usr/lib/resolvconf/{,**} r,
@ -35,6 +36,16 @@ profile resolvconf @{exec_path} {

  /dev/tty rw,

+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    include if exists <local/resolvconf_systemctl>
+  }
+  
  include if exists <local/resolvconf>
 }