felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): initial integration with attached path.

Browse source 
The feature is not yet enabled.

See https://apparmor.pujol.io/development/internal/#re-attached-path
This commit is contained in:
Alexandre Pujol 2024-10-11 14:13:17 +01:00
parent 5bf8c6ef0f
commit 61a27bc336
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
85 changed files with 164 additions and 139 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/virt/dockerd
View file

@ -85,9 +85,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
/etc/docker/{,**} r,
/ r,
@{att}/ r,
owner @{lib}/containerd/** w,
owner @{att}/@{lib}/containerd/** rw,
owner @{lib}/docker/overlay2/*/work/{,**} rw,
owner /var/lib/containerd/** rw,
owner /var/lib/docker/{,**} rwk,

3
apparmor.d/groups/virt/libvirtd
View file

@ -153,11 +153,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
@{user_vm_dirs}/{,**} rwk,
@{user_publicshare_dirs}/{,**} rwk,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/libvirt/ rw,
@{run}/libvirt/** rwk,
@{run}/libvirtd.pid wk,
@{run}/lock/LCK.._pts_@{int} rw,
@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/systemd/notify w,
@{run}/utmp rk,

2
apparmor.d/groups/virt/virtinterfaced
View file

@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
@{lib}/gconv/gconv-modules rm,
@{lib}/gconv/gconv-modules.d/{,*} r,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
owner @{run}/user/@{uid}/libvirt/interface/ rw,
owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk,

3
apparmor.d/groups/virt/virtlogd
View file

@ -28,9 +28,10 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk,
owner @{run}/user/@{uid}/libvirt/virtlogd* w,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/libvirt/common/system.token rwk,
@{run}/libvirt/virtlogd-sock rw,
@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/virtlogd.pid rwk,
@{sys}/devices/system/node/ r,

3
apparmor.d/groups/virt/virtnetworkd
View file

@ -24,8 +24,9 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
owner /var/lib/libvirt/dnsmasq/*.macs* rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/libvirt/network/default.pid r,
@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp rk,
owner @{run}/libvirt/common/system.token rwk,
owner @{run}/libvirt/network/{,**} rwk,

3
apparmor.d/groups/virt/virtnodedevd
View file

@ -32,7 +32,8 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
/etc/libvirt/*.conf r,
/etc/mdevctl.d/{,**} r,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{run}/libvirt/common/system.token rwk,
owner @{run}/libvirt/nodedev/ rw,
owner @{run}/libvirt/nodedev/driver.pid wk,

3
apparmor.d/groups/virt/virtsecretd
View file

@ -20,7 +20,8 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) {
owner @{user_config_dirs}/libvirt/secrets/ rw,
owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
owner @{run}/user/@{uid}/libvirt/secrets/ rw,
owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk,

3
apparmor.d/groups/virt/virtstoraged
View file

@ -54,7 +54,8 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
owner @{run}/libvirt/storage/{,**} rwk,
owner @{run}/virtstoraged.pid rwk,
@{run}/systemd/inhibit/@{int}.ref rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
@{run}/utmp rwk,
@{sys}/devices/system/node/ r,