feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
862cc7aaaa
commit
52b3c1bcc5
12 changed files with 57 additions and 27 deletions
|
|
@ -29,11 +29,6 @@ profile appstreamcli @{exec_path} flags=(complain) {
|
|||
|
||||
/etc/appstream.conf r,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/appstream-cache-*.mdb rw,
|
||||
owner @{user_cache_dirs}/appstream/ rw,
|
||||
owner @{user_cache_dirs}/appstream/appcache-*.mdb rw,
|
||||
|
||||
/var/lib/app-info/ w,
|
||||
/var/lib/app-info/yaml/ r,
|
||||
/var/lib/app-info/yaml/*.yml.gz w,
|
||||
|
|
@ -47,20 +42,25 @@ profile appstreamcli @{exec_path} flags=(complain) {
|
|||
/var/lib/swcatalog/yaml/*_Components-*.yml.gz w,
|
||||
|
||||
/var/cache/swcatalog/cache/{,**} rw,
|
||||
/var/log/cron-apt/temp w,
|
||||
owner /var/cache/app-info/{,**} rw,
|
||||
owner /var/cache/swcatalog/{,**} rw,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_cache_dirs}/appstream-cache-*.mdb rw,
|
||||
owner @{user_cache_dirs}/appstream/ rw,
|
||||
owner @{user_cache_dirs}/appstream/appcache-*.mdb rw,
|
||||
owner @{user_share_dirs}/mime/mime.cache r,
|
||||
|
||||
owner /tmp/appstream-cache-*.mdb rw,
|
||||
owner /tmp/appstream/ rw,
|
||||
owner /tmp/appstream/appcache-*.mdb rw,
|
||||
|
||||
/var/log/cron-apt/temp w,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
# freedesktop.org-strict
|
||||
/usr/share/applications/{,*.desktop} r,
|
||||
/usr/share/mime/mime.cache r,
|
||||
owner @{user_share_dirs}/mime/mime.cache r,
|
||||
# File Inherit
|
||||
deny network inet stream,
|
||||
deny network inet6 stream,
|
||||
|
||||
profile curl {
|
||||
include <abstractions/base>
|
||||
|
|
|
|||
|
|
@ -15,13 +15,13 @@ profile df @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
/usr/share/icons/*/index.theme r,
|
||||
|
||||
# For dir stats
|
||||
/ r,
|
||||
/**/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
include if exists <local/df>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
|
||||
# File Inherit
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
include if exists <local/findmnt>
|
||||
|
|
|
|||
|
|
@ -10,9 +10,12 @@ include <tunables/global>
|
|||
profile firewalld @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability mknod,
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
capability setpcap,
|
||||
|
||||
network inet raw,
|
||||
network inet6 raw,
|
||||
|
|
@ -24,12 +27,14 @@ profile firewalld @{exec_path} {
|
|||
/{usr/,}{s,}bin/kmod rPx,
|
||||
/{usr/,}{s,}bin/xtables-legacy-multi rix,
|
||||
/{usr/,}{s,}bin/xtables-nft-multi rix,
|
||||
/{usr/,}bin/false rix,
|
||||
/{usr/,}bin/alts rix,
|
||||
|
||||
/usr/share/libalternatives/ r,
|
||||
/usr/share/libalternatives/ip{,4,6}tables*/{,*} r,
|
||||
|
||||
/etc/firewalld/{,**} r,
|
||||
/etc/firewalld/zones/{,**} rw,
|
||||
/etc/iproute2/group r,
|
||||
/etc/iproute2/rt_realms r,
|
||||
|
||||
|
|
@ -41,6 +46,7 @@ profile firewalld @{exec_path} {
|
|||
@{PROC}/sys/kernel/modprobe r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pids}/net/ip_tables_names r,
|
||||
|
||||
include if exists <local/firewalld>
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue