feat(profile): improve some systemd profiles.
This commit is contained in:
Alexandre Pujol
Alex
parent
03b174a2d4
commit
881402dc21
3 changed files with 24 additions and 3 deletions
|
|
@ -39,7 +39,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
|
|||
/etc/systemd/coredump.conf r,
|
||||
/etc/systemd/coredump.conf.d/{,**} r,
|
||||
|
||||
owner @{HOME}/**.so r,
|
||||
owner @{HOME}/**.so* r,
|
||||
|
||||
/var/lib/systemd/coredump/{,**} rwl,
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile systemd-machined @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/common/systemd>
|
||||
|
||||
|
|
@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) {
|
|||
capability kill,
|
||||
capability mknod,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability sys_admin,
|
||||
capability sys_chroot,
|
||||
capability sys_ptrace,
|
||||
|
|
@ -31,26 +33,44 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) {
|
|||
network inet6 dgram,
|
||||
network netlink raw,
|
||||
|
||||
signal send set=rtmin+6 peer=systemd-nspawn,
|
||||
|
||||
ptrace read peer=systemd-nspawn,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.machine1
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/var/lib/machines/{,**} rw,
|
||||
/etc/machine-id r,
|
||||
|
||||
/ r,
|
||||
@{att}/ r,
|
||||
|
||||
owner /var/lib/machines/ rw,
|
||||
owner /var/lib/machines/** rwk,
|
||||
|
||||
owner @{run}/systemd/nspawn/ w,
|
||||
owner @{run}/systemd/nspawn/locks/ w,
|
||||
owner @{run}/systemd/nspawn/locks/** rwk,
|
||||
|
||||
@{run}/systemd/machine/{,**} rw,
|
||||
@{run}/systemd/machines/{,**} rw,
|
||||
@{run}/systemd/notify w,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/@{pid}/fdinfo/@{int} r,
|
||||
@{PROC}/@{pid}/gid_map r,
|
||||
@{PROC}/@{pid}/setgroups r,
|
||||
@{PROC}/@{pid}/uid_map r,
|
||||
@{PROC}/pressure/cpu r,
|
||||
@{PROC}/pressure/io r,
|
||||
@{PROC}/pressure/memory r,
|
||||
|
||||
/dev/ptmx rw,
|
||||
/dev/pts/@{int} rw,
|
||||
/dev/pts/ptmx rw,
|
||||
|
||||
include if exists <local/systemd-machined>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} {
|
|||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
signal receive set=(term cont winch) peer=@{p_logrotate},
|
||||
signal receive set=(term cont winch) peer=*//systemctl,
|
||||
signal receive set=(term cont winch) peer=deb-systemd-invoke,
|
||||
signal receive set=(term cont winch) peer=default,
|
||||
signal receive set=(term cont winch) peer=@{p_logrotate},
|
||||
signal receive set=(term cont winch) peer=machinectl,
|
||||
signal receive set=(term cont winch) peer=makepkg//sudo,
|
||||
signal receive set=(term cont winch) peer=role_*,
|
||||
signal receive set=(term cont winch) peer=rpm,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue