felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add netplan-generate.

Browse source
This commit is contained in:
Alexandre Pujol 2025-03-13 19:18:03 +01:00
parent 1702072669
commit 7abbf548a2
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
2 changed files with 49 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

48
apparmor.d/groups/network/netplan-generate Normal file
View file

@ -0,0 +1,48 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{lib}/netplan/generate
profile netplan-generate @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability chown,
network netlink raw,
@{exec_path} mr,
/etc/netplan/{,*} r,
@{run}/systemd/generator/multi-user.target.wants/ w,
@{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w,
@{run}/systemd/generator/netplan.stamp w,
@{run}/systemd/generator/network-online.target.wants/ w,
@{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w,
@{run}/systemd/network/ r,
@{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw,
@{run}/systemd/system/ r,
@{run}/systemd/system/netplan-* rw,
@{run}/systemd/system/systemd-networkd-wait-online.service.d/ r,
@{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw,
@{run}/systemd/system/systemd-networkd.service.wants/ rw,
@{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
@{run}/udev/rules.d/ r,
@{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
@{sys}/devices/**/net/*/address r,
@{run}/udev/rules.d/ r,
@{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
include if exists <local/netplan-generate>
}
# vim:syntax=apparmor

25
apparmor.d/groups/network/netplan.script
View file

@ -9,41 +9,18 @@ include <tunables/global>
@{exec_path} = /usr/share/netplan/netplan.script @{exec_path} = /usr/share/netplan/netplan.script
profile netplan.script @{exec_path} flags=(attach_disconnected) { profile netplan.script @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
include <abstractions/python> include <abstractions/python>
network netlink raw,
@{exec_path} mr, @{exec_path} mr,
@{lib}/netplan/generate rix, @{lib}/netplan/generate rPx,
@{bin}/udevadm rCx -> udevadm, @{bin}/udevadm rCx -> udevadm,
@{bin}/systemctl rCx -> systemctl, @{bin}/systemctl rCx -> systemctl,
/usr/share/netplan/{,**} r, /usr/share/netplan/{,**} r,
/etc/netplan/{,*} r,
@{run}/netplan/ r, @{run}/netplan/ r,
@{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw,
@{run}/NetworkManager/system-connections/ rw,
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
@{run}/systemd/network/ r,
@{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw,
@{run}/systemd/system/ r,
@{run}/systemd/system/netplan-* rw,
@{run}/systemd/system/systemd-networkd-wait-online.service.d/ r,
@{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw,
@{run}/systemd/system/systemd-networkd.service.wants/ rw,
@{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
@{run}/udev/rules.d/ r,
@{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
@{sys}/devices/**/net/*/address r,
profile udevadm { profile udevadm {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/udevadm> include <abstractions/app/udevadm>