diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 500cfec1d..7482e9ea6 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -20,6 +20,10 @@ profile zfs @{exec_path} { /etc/zfs/zfs-list.cache/{,*} rwk, + # Sanoid generates temorary files with random names including underscores, directly under /tmp. + # https://github.com/jimsalterjrs/sanoid/issues/758 + /tmp/* rw, + @{run}/zfs-list.cache@* rw, @{PROC}/@{pids}/mounts r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 2bc62188b..6d9c960b8 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -29,6 +29,7 @@ profile zpool @{exec_path} { @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/[0-9]*/address r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, @{PROC}/sys/kernel/spl/hostid r, diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot index 76b98a496..428777fb7 100644 --- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot +++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot @@ -9,14 +9,15 @@ include @{exec_path} = @{libexec}/zsys-system-autosnapshot profile zsys-system-autosnapshot @{exec_path} flags=(complain) { include + include - @{exec_path} rm, - /{usr/,}bin/{,ba,da}sh rix, - /{usr/,}bin/cat rix, - /{usr/,}bin/cp rix, - /{usr/,}bin/rm rix, - /{usr/,}bin/zsysctl rPx, - /{usr/,}bin/zsysd rPx, + @{exec_path} rm, + /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/cp rix, + /{usr/,}bin/rm rix, + /{usr/,}{s,}bin/zsysctl rPx, + /{usr/,}{s,}bin/zsysd rPx, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @@ -24,7 +25,5 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) { @{run}/zsys-snapshot.unattended-upgrades rw, @{run}/unattended-upgrades.pid r, - /dev/pts/[0-9]* rw, - include if exists }