Update profile from #25 (2).

2022-02-09 19:35:18 +00:00 · 2022-02-09 19:35:18 +00:00 · 810985a0cd
commit 810985a0cd
parent 2f77653cba
38 changed files with 103 additions and 37 deletions
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@ -34,8 +34,10 @@ profile bootctl @{exec_path} {

   /etc/machine-id r,

+  @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

+  @{sys}/firmware/dmi/entries/*/raw r,
  @{sys}/firmware/efi/efivars/ r,
  @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
  @{sys}/firmware/efi/efivars/BootOrder-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -32,6 +32,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {

  /var/lib/systemd/coredump/ r,
  /var/lib/systemd/coredump/** rwl,
+  /var/lib/systemd/coredump/#[0-9]* rwl,

  owner @{PROC}/@{pid}/setgroups r,
        @{PROC}/@{pids}/comm r,
--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@ -16,6 +16,7 @@ profile systemd-makefs @{exec_path} {
  @{exec_path} mr,

  /{usr/,}{s,}bin/mkswap     rPx,
+  /{usr/,}bin/mkfs.*         rPx,

  @{sys}/devices/virtual/block/zram[0-9]*/ r,
  @{sys}/devices/virtual/block/zram[0-9]*/** r,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-oomd
 profile systemd-oomd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/systemd-common>

  capability dac_override,
  capability kill,
@ -17,11 +18,9 @@ profile systemd-oomd @{exec_path} {

  /etc/systemd/oomd.conf r,

-  @{PROC}/1/cgroup r,
-  @{PROC}/cmdline r,
+  @{sys}/fs/cgroup/cgroup.controllers r,
+
  @{PROC}/pressure/{cpu,io,memory} r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/sys/kernel/random/boot_id r,

  include if exists <local/systemd-oomd>
 }
--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@ -24,6 +24,8 @@ profile systemd-user-runtime-dir @{exec_path} {

  @{exec_path} mr,

+  /etc/machine-id r,
+
  @{run}/user/@{uid}/{,**} rw,

  @{PROC}/1/environ r,
--- a/apparmor.d/groups/systemd/zram-generator
+++ b/apparmor.d/groups/systemd/zram-generator
@ -18,12 +18,15 @@ profile zram-generator @{exec_path} {

  /etc/systemd/zram-generator.conf r,

-  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset} rw,
+  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset,comp_algorithm} rw,
  @{sys}/block/zram[0-9]*/{disksize,reset} rw,

-  owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
+  owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw,
  owner @{run}/systemd/generator/dev-zram[0-9]*.swap rw,
  owner @{run}/systemd/generator/swap.target.wants/{,dev-zram[0-9]*.swap} rw,
+  owner @{run}/systemd/generator/systemd-zram-setup@zram[0-9]*.service.d/{,*.conf} rw,
+
+  @{PROC}/crypto r,

  include if exists <local/zram-generator>
 }