feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
1c999ca921
commit
555b5e3c3f
43 changed files with 142 additions and 124 deletions
|
|
@ -18,7 +18,7 @@ profile dbus-broker @{exec_path} flags=(attach_disconnected) {
|
|||
network bluetooth stream,
|
||||
network bluetooth seqpacket,
|
||||
|
||||
signal (receive) set=(cont, term) peer=systemd-user,
|
||||
signal (receive) set=(cont, term) peer=@{systemd_user},
|
||||
|
||||
dbus bus=accessibility,
|
||||
dbus bus=session,
|
||||
|
|
@ -41,5 +41,7 @@ profile dbus-broker @{exec_path} flags=(attach_disconnected) {
|
|||
/dev/dri/card@{int} rw,
|
||||
/dev/input/event@{int} rw,
|
||||
|
||||
@{PROC}/sys/kernel/cap_last_cap r,
|
||||
|
||||
include if exists <local/dbus-broker>
|
||||
}
|
||||
|
|
@ -17,7 +17,7 @@ profile dbus-broker-launch @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/dbus-broker rPUx,
|
||||
@{bin}/dbus-broker rPx,
|
||||
|
||||
/usr/share/dbus-1/{,**} r,
|
||||
/usr/share/defaults/**.conf r,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
# dbus: own bus=system name=org.freedesktop.ColorManager
|
||||
|
|
@ -61,6 +63,9 @@ profile colord @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/@{pci}/uevent r,
|
||||
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
|
||||
|
||||
@{PROC}/sys/dev/parport/ r,
|
||||
@{PROC}/sys/dev/parport/parport@{int}/base-addr r,
|
||||
@{PROC}/sys/dev/parport/parport@{int}/irq r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/ r,
|
||||
@{run}/udev/data/+acpi:* r, # for acpi
|
||||
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
||||
@{run}/udev/data/+i2c:* r,
|
||||
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||
@{run}/udev/data/+pci:* r,
|
||||
@{run}/udev/data/+platform:* r,
|
||||
|
|
|
|||
|
|
@ -18,14 +18,11 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
include <abstractions/bus/org.gtk.vfs.MountTracker>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/dri>
|
||||
include <abstractions/fontconfig-cache-write>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/nvidia>
|
||||
include <abstractions/user-download>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
network unix stream,
|
||||
|
||||
|
|
@ -68,6 +65,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
@{bin}/* r,
|
||||
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/thumbnailers/{,**} r,
|
||||
|
||||
/var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
|
||||
/var/lib/gdm{3,}/greeter-dconf-defaults r,
|
||||
|
|
@ -75,6 +73,9 @@ profile xdg-desktop-portal-gnome @{exec_path} {
|
|||
|
||||
owner @{HOME}/*/{,**} rw,
|
||||
|
||||
owner /tmp/.goutputstream-@{rand6} rw,
|
||||
owner /tmp/@{rand6} rw,
|
||||
|
||||
@{run}/mount/utab r,
|
||||
|
||||
owner @{PROC}/@{pid}/ r,
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/head rix,
|
||||
@{bin}/mv rix,
|
||||
@{bin}/readlink rix,
|
||||
@{bin}/realpath rix,
|
||||
@{bin}/sed rix,
|
||||
@{bin}/tr rix,
|
||||
@{bin}/uname rix,
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/language-tools/language2locale rix,
|
||||
/usr/share/language-tools/language-options rPUx,
|
||||
|
||||
/opt/**/share/icons/{,**} r,
|
||||
/snap/*/@{int}/**.png r,
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
/usr/share/cups/data/testprint r,
|
||||
|
|
@ -71,11 +72,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/thumbnailers/{,*} r,
|
||||
/usr/share/wallpapers/{,**} r,
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
||||
/etc/cups/client.conf r,
|
||||
/etc/machine-info r,
|
||||
/etc/pipewire/client.conf.d/ r,
|
||||
/etc/pipewire/client.conf.d/{,**} r,
|
||||
/etc/rygel.conf r,
|
||||
/etc/security/pwquality.conf r,
|
||||
/etc/security/pwquality.conf.d/{,**} r,
|
||||
|
|
@ -92,14 +93,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{HOME}/.cert/nm-openvpn/*.pem r,
|
||||
owner @{HOME}/.face r,
|
||||
owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
|
||||
|
||||
owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_cache_dirs}/thumbnails/{,**} rw,
|
||||
|
||||
owner @{user_config_dirs}/gnome-control-center/{,**} rw,
|
||||
owner @{user_config_dirs}/ibus/bus/ r,
|
||||
owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
|
||||
owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
|
||||
owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
|
||||
|
||||
owner @{user_games_dirs}/**.png r,
|
||||
|
||||
owner @{user_share_dirs}/backgrounds/{,**} rw,
|
||||
owner @{user_share_dirs}/gnome-remote-desktop/ w,
|
||||
owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
|
||||
|
|
@ -108,15 +113,15 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
|
||||
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
|
||||
owner @{run}/user/@{uid}/pipewire-@{int} rw,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
||||
@{run}/cups/cups.sock rw,
|
||||
@{run}/samba/ rw,
|
||||
@{run}/systemd/sessions/ r,
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/users/@{uid} r,
|
||||
owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
|
||||
owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
|
||||
owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
|
||||
owner @{run}/user/@{uid}/pipewire-@{int} rw,
|
||||
|
||||
@{run}/udev/data/+dmi:* r,
|
||||
@{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile gnome-session-ctl @{exec_path} {
|
|||
dbus send bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member={StartUnit,StopUnit}
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
|
||||
peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SessionManager
|
||||
interface=org.gnome.SessionManager
|
||||
|
|
|
|||
|
|
@ -63,6 +63,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
network unix stream,
|
||||
|
||||
ptrace (read),
|
||||
ptrace (readby) peer=pipewire,
|
||||
|
||||
signal (receive) set=(cont, term) peer=systemd-user,
|
||||
signal (receive) set=(term, hup) peer=gdm*,
|
||||
|
|
@ -178,7 +179,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
dbus receive bus=session path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member=JobRemoved
|
||||
peer=(name=:*, label="@{systemd}"),
|
||||
peer=(name=:*, label="@{systemd_user}"),
|
||||
|
||||
dbus send bus=session path=/MenuBar
|
||||
interface=com.canonical.dbusmenu
|
||||
|
|
@ -213,19 +214,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
|
||||
|
||||
/opt/**/share/icons/{,**} r,
|
||||
/opt/*/**/*.png r,
|
||||
/snap/*/@{uid}/**.png r,
|
||||
/usr/share/{,zoneinfo-}icu/{,**} r,
|
||||
/usr/share/**.{png,jpg,svg} r,
|
||||
/usr/share/app-info/icons/{,**} r,
|
||||
/usr/share/**/icons/{,**} r,
|
||||
/usr/share/backgrounds/{,**} r,
|
||||
/usr/share/byobu/desktop/byobu* r,
|
||||
/usr/share/dconf/profile/gdm r,
|
||||
/usr/share/desktop-base/** r,
|
||||
/usr/share/desktop-directories/{,*.directory} r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/evolution-data-server/icons/{,**} r,
|
||||
/usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
|
||||
/usr/share/gdm/BuiltInSessions/{,*.desktop} r,
|
||||
/usr/share/gdm/greeter-dconf-defaults r,
|
||||
/usr/share/gdm/greeter/applications/{,**} r,
|
||||
|
|
@ -238,7 +238,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
/usr/share/pipewire/client.conf r,
|
||||
/usr/share/wallpapers/** r,
|
||||
/usr/share/wayland-sessions/{,*.desktop} r,
|
||||
/usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
|
||||
/usr/share/xml/iso-codes/{,**} r,
|
||||
|
||||
/.flatpak-info r,
|
||||
/etc/fstab r,
|
||||
|
|
@ -340,7 +340,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/udev/data/+sound:card@{int} r, # for sound
|
||||
@{run}/udev/data/+usb* r, # for USB mouse and keyboard
|
||||
@{run}/udev/data/+i2c:* r,
|
||||
@{run}/udev/data/+hid:* r , # for HID-Compliant Keyboard
|
||||
@{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard
|
||||
@{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features
|
||||
@{run}/udev/data/c13:@{int} r, # for /dev/input/*
|
||||
@{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/**
|
||||
|
|
|
|||
|
|
@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{run}/systemd/sessions/* r,
|
||||
@{run}/systemd/sessions/*.ref r,
|
||||
@{run}/mount/utab r,
|
||||
|
||||
@{sys}/devices/@{pci}/net/*/statistics/collisions r,
|
||||
@{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
|
|||
|
||||
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
|
||||
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/a*org.gnome.NautilusPreviewer.slice/*/memory.* r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
|
||||
@{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
|
|
|
|||
|
|
@ -61,6 +61,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
|
|||
@{sys}/devices/i2c-@{int}/name r,
|
||||
@{sys}/devices/platform/*/i2c-@{int}/name r,
|
||||
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
|
|
|||
|
|
@ -67,6 +67,8 @@ profile kioslave5 @{exec_path} {
|
|||
deny /tmp/.* rw,
|
||||
deny /tmp/.*/{,**} rw,
|
||||
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int},
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/kio_http/* rwl,
|
||||
owner @{user_cache_dirs}/ksycoca5_* r,
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ profile ksplashqml @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
/usr/share/plasma/** r,
|
||||
/usr/share/qt/translations/*.qm r,
|
||||
|
||||
owner @{user_cache_dirs}/icon-cache.kcache rw,
|
||||
owner @{user_cache_dirs}/ksplash/ rw,
|
||||
|
|
|
|||
|
|
@ -128,6 +128,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
|
|||
owner @{user_config_dirs}/kwalletrc r,
|
||||
owner @{user_config_dirs}/menus/{,**} r,
|
||||
owner @{user_config_dirs}/plasma* rwlk,
|
||||
owner @{user_config_dirs}/pulse/ rw,
|
||||
owner @{user_config_dirs}/pulse/cookie rwk,
|
||||
owner @{user_config_dirs}/trashrc r,
|
||||
|
||||
|
|
|
|||
|
|
@ -17,15 +17,21 @@ profile networkd-dispatcher @{exec_path} {
|
|||
dbus receive bus=system path=/org/freedesktop/network1{,/link/*}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*),
|
||||
peer=(name=:*, label=systemd-networkd),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
@{bin}/networkctl rPx,
|
||||
@{bin}/ls rix,
|
||||
@{bin}/sed rix,
|
||||
|
||||
@{lib}/networkd-dispatcher/routable.d/postfix rix,
|
||||
|
||||
/etc/networkd-dispatcher/{,**} r,
|
||||
|
||||
/var/spool/postfix/pid/master.pid r,
|
||||
|
||||
@{run}/systemd/notify rw,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read) peer=unconfined,
|
||||
ptrace (read) peer=@{systemd},
|
||||
|
||||
# dbus: own bus=system name=org.freedesktop.nm_dispatcher
|
||||
|
||||
|
|
@ -73,7 +73,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/network/if-*.d/* rPUx,
|
||||
/etc/wpa_supplicant/ifupdown.sh rPUx,
|
||||
|
||||
include if exists <local/anacron_run_parts>
|
||||
include if exists <local/nm-dispatcher_run-parts>
|
||||
}
|
||||
|
||||
include if exists <local/nm-dispatcher>
|
||||
|
|
|
|||
|
|
@ -7,9 +7,10 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/paccache
|
||||
profile paccache @{exec_path} {
|
||||
profile paccache @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
||||
capability dac_read_search,
|
||||
capability mknod,
|
||||
|
|
@ -20,8 +21,11 @@ profile paccache @{exec_path} {
|
|||
@{bin}/bash rix,
|
||||
@{bin}/cat rix,
|
||||
@{bin}/gettext rix,
|
||||
@{bin}/pacman rPx,
|
||||
@{bin}/pacman-conf rPx,
|
||||
@{bin}/gpg{,2} rix,
|
||||
@{bin}/gpgconf rix,
|
||||
@{bin}/gpgsm rix,
|
||||
@{bin}/pacman rix,
|
||||
@{bin}/pacman-conf rix,
|
||||
@{bin}/pacsort rix,
|
||||
@{bin}/rm rix,
|
||||
@{bin}/stat rix,
|
||||
|
|
@ -31,7 +35,11 @@ profile paccache @{exec_path} {
|
|||
/usr/share/makepkg/util/*.sh r,
|
||||
/usr/share/terminfo/** r,
|
||||
|
||||
/etc/pacman.conf r,
|
||||
/etc/pacman.d/{,**} r,
|
||||
|
||||
/var/cache/pacman/pkg/{,*} rw,
|
||||
/var/lib/pacman/{,**} r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
|
|
|
|||
|
|
@ -55,9 +55,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
|
|||
ptrace (read,trace) peer=@{systemd},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={CreateSession,ReleaseSession}
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
|
||||
peer=(name=org.freedesktop.login1, label=systemd-logind),
|
||||
|
||||
@{exec_path} mrix,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,10 +14,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability net_admin,
|
||||
capability sys_module,
|
||||
|
||||
# Needed? (#FIXME#)
|
||||
audit capability sys_resource,
|
||||
|
||||
ptrace (read) peer=@{systemd},
|
||||
|
||||
signal send peer=child-pager,
|
||||
|
||||
network inet dgram,
|
||||
|
|
@ -44,10 +44,13 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
|
|||
/{run,var}/log/journal/@{md5}/system.journal* r,
|
||||
/{run,var}/log/journal/@{md5}/system@@{hex}.journal* r,
|
||||
|
||||
@{run}/systemd/netif/leases/@{int} r,
|
||||
@{run}/systemd/netif/links/@{int} r,
|
||||
@{run}/systemd/netif/state r,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
@{run}/udev/data/n@{int} r,
|
||||
|
||||
@{sys}/devices/**/net/**/uevent r,
|
||||
|
||||
@{PROC}/sys/kernel/random/boot_id r,
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile systemd-backlight @{exec_path} {
|
|||
@{sys}/class/ r,
|
||||
@{sys}/class/backlight/ r,
|
||||
|
||||
@{sys}/devices/pci[0-9]*/*:@{int}.@{int}/**/ r,
|
||||
@{sys}/devices/@{pci}/*:@{int}.@{int}/**/ r,
|
||||
@{sys}/devices/@{pci}/ r,
|
||||
@{sys}/devices/@{pci}/backlight/**/{max_brightness,actual_brightness} r,
|
||||
@{sys}/devices/@{pci}/backlight/**/{uevent,type} r,
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{run}/host/container-manager r,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/bios_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,11 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
# dbus: own bus=system name=org.freedesktop.hostname1
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=GetConnectionUnixUser
|
||||
peer=(name=org.freedesktop.DBus, label=dbus-daemon),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{etc_rw}/.#hostname* rw,
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
# mqueue r type=posix /,
|
||||
|
||||
# dbus: own bus=system name=org.freedesktop.login1
|
||||
|
||||
# dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
|
||||
|
|
|
|||
|
|
@ -29,6 +29,15 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
|
|||
|
||||
# dbus: own bus=system name=org.freedesktop.network1
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/hostname1
|
||||
interface=org.freedesktop.hostname1
|
||||
member=SetHostname
|
||||
peer=(name=org.freedesktop.hostname1),
|
||||
dbus send bus=system path=/org/freedesktop/hostname1
|
||||
interface=org.freedesktop.hostname1
|
||||
member=SetHostname
|
||||
peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
|
|
|||
|
|
@ -17,6 +17,8 @@ profile ubuntu-report @{exec_path} {
|
|||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
||||
signal (receive) set=(cont term) peer=@{systemd_user},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/dpkg rPx -> child-dpkg,
|
||||
|
|
|
|||
|
|
@ -70,10 +70,10 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
|||
ptrace (read,trace) peer=unconfined,
|
||||
ptrace (read,trace) peer=@{profile_name},
|
||||
ptrace (read,trace) peer=dnsmasq,
|
||||
ptrace (read,trace) peer=libvirt-*,
|
||||
ptrace (read,trace) peer=libvirt-@{uuid},
|
||||
ptrace (read,trace) peer=virt-manager,
|
||||
|
||||
signal (read,send) peer=libvirt-*,
|
||||
signal (read,send) peer=libvirt-@{uuid},
|
||||
signal (read,send) peer=unconfined,
|
||||
signal (send) peer=dnsmasq,
|
||||
signal (send) set=(kill, term) peer=virtiofsd,
|
||||
|
|
@ -246,16 +246,17 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
|
|||
owner @{PROC}/@{pid}/mounts r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
|
||||
|
||||
/dev/cpu/@{int}/msr r,
|
||||
/dev/dri/ r,
|
||||
/dev/hugepages/{,**} w,
|
||||
/dev/kvm rw,
|
||||
/dev/mapper/ r,
|
||||
/dev/mapper/control rw,
|
||||
/dev/net/tun rw,
|
||||
/dev/ptmx rw,
|
||||
/dev/shm/libvirt/{,**} rw,
|
||||
/dev/vfio/@{int} rwk,
|
||||
/dev/vhost-net rw,
|
||||
/dev/ptmx rw,
|
||||
|
||||
# Force the use of virt-aa-helper
|
||||
audit deny @{bin}/apparmor_parser rwxl,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{lib}/qemu/virtiofsd @{bin}/virtiofsd
|
||||
@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd
|
||||
profile virtiofsd @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue