feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
f7b9ff959a
commit
5d47dfba95
50 changed files with 174 additions and 50 deletions
|
|
@ -11,7 +11,7 @@ profile tailscale @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
ptrace (read),
|
||||
capability sys_ptrace,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -19,15 +19,20 @@ profile tailscale @{exec_path} {
|
|||
network inet6 stream,
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ip rPx,
|
||||
|
||||
owner @{run}/tailscale/tailscaled.sock rw,
|
||||
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/sys/net/core/somaxconn r,
|
||||
owner @{PROC}/@{pids}/environ r,
|
||||
|
||||
include if exists <local/tailscale>
|
||||
}
|
||||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/tailscaled
|
||||
profile tailscaled @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/ssl_certs>
|
||||
|
||||
|
|
@ -17,6 +18,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
|
|||
capability net_admin,
|
||||
capability net_raw,
|
||||
capability sys_ptrace,
|
||||
capability syslog,
|
||||
|
||||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
|
@ -28,6 +30,21 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
ptrace (read),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/resolve1
|
||||
interface=org.freedesktop.DBus.Peer
|
||||
member=Ping
|
||||
peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/resolve1
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/resolve1
|
||||
interface=org.freedesktop.resolve1.Manager
|
||||
member={FlushCaches,SetLink*}
|
||||
peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ip rix,
|
||||
|
|
@ -42,10 +59,14 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
|
|||
@{etc_rw}/resolv.conf rw,
|
||||
@{etc_rw}/resolv.conf.*.tmp rw,
|
||||
|
||||
owner @{run}/tailscale/{,**} rw,
|
||||
owner /var/cache/{,**} rw,
|
||||
owner /var/lib/tailscale/{,**} rw,
|
||||
|
||||
owner @{user_share_dirs}/tailscale/{,**} rw,
|
||||
|
||||
owner @{run}/systemd/notify w,
|
||||
owner @{run}/tailscale/{,**} rw,
|
||||
|
||||
@{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
|
||||
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
|
||||
|
|
@ -81,6 +102,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/dev/net/tun rw,
|
||||
|
||||
include if exists <local/tailscaled_systemctl>
|
||||
}
|
||||
|
||||
include if exists <local/tailscaled>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue