felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): initial integration with attached path.

Browse source 
The feature is not yet enabled.

See https://apparmor.pujol.io/development/internal/#re-attached-path
This commit is contained in:
Alexandre Pujol 2024-10-11 14:13:17 +01:00
parent 5bf8c6ef0f
commit 61a27bc336
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
85 changed files with 164 additions and 139 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/abstractions/common/app
View file

@ -67,10 +67,11 @@
owner @{tmp}/** rmwk,
owner /dev/shm/** rwlk -> /dev/shm/**,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
@{run}/host/{,**} r,
@{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp rk,
@{run}/udev/data/c13:@{int} r, # for /dev/input/*

13
apparmor.d/abstractions/common/bwrap
View file

@ -44,15 +44,16 @@
owner /tmp/newroot/ w,
owner /tmp/oldroot/ w,
@{att}/@{PROC}/sys/user/max_user_namespaces rw,
owner @{att}/@{PROC}/@{pid}/cgroup r,
owner @{att}/@{PROC}/@{pid}/gid_map rw,
owner @{att}/@{PROC}/@{pid}/mountinfo r,
owner @{att}/@{PROC}/@{pid}/setgroups rw,
owner @{att}/@{PROC}/@{pid}/uid_map rw,
@{PROC}/sys/kernel/overflowgid r,
@{PROC}/sys/kernel/overflowuid r,
@{PROC}/sys/user/max_user_namespaces rw,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/gid_map rw,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/setgroups rw,
owner @{PROC}/@{pid}/uid_map rw,
include if exists <abstractions/common/bwrap.d>