feat(profile): various update for ubuntu.
This commit is contained in:
Alexandre Pujol
parent
e9b022a9a1
commit
8a381b2f6b
13 changed files with 29 additions and 9 deletions
|
|
@ -53,6 +53,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
||||||
peer=(name="{:*,org.freedesktop.DBus}"),
|
peer=(name="{:*,org.freedesktop.DBus}"),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@{python_path} mr,
|
||||||
|
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -84,6 +84,7 @@ profile apt-methods-gpgv @{exec_path} {
|
||||||
owner @{tmp}/apt-key-gpghome.*/ rw,
|
owner @{tmp}/apt-key-gpghome.*/ rw,
|
||||||
owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
|
owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
|
||||||
owner @{tmp}/apt.{conf,sig,data}.* rw,
|
owner @{tmp}/apt.{conf,sig,data}.* rw,
|
||||||
|
owner @{tmp}/apt.@{rand6}.gpg rw,
|
||||||
|
|
||||||
@{PROC}/@{pid}/fd/ r,
|
@{PROC}/@{pid}/fd/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,6 @@ profile dpkg @{exec_path} {
|
||||||
@{pager_path} rPx -> child-pager,
|
@{pager_path} rPx -> child-pager,
|
||||||
|
|
||||||
# Package maintainer's scripts
|
# Package maintainer's scripts
|
||||||
# Move it to a child profile once more transitions will be available
|
|
||||||
/var/lib/dpkg/info/*.{config,templates} rPUx,
|
/var/lib/dpkg/info/*.{config,templates} rPUx,
|
||||||
/var/lib/dpkg/info/*.{preinst,postinst} rPUx,
|
/var/lib/dpkg/info/*.{preinst,postinst} rPUx,
|
||||||
/var/lib/dpkg/info/*.{prerm,postrm} rPUx,
|
/var/lib/dpkg/info/*.{prerm,postrm} rPUx,
|
||||||
|
|
|
||||||
|
|
@ -23,14 +23,17 @@ profile dpkg-preconfigure @{exec_path} {
|
||||||
@{bin}/{,e}grep rix,
|
@{bin}/{,e}grep rix,
|
||||||
@{bin}/{,g,m}awk rix,
|
@{bin}/{,g,m}awk rix,
|
||||||
@{bin}/cat rix,
|
@{bin}/cat rix,
|
||||||
|
@{bin}/debconf-escape rix,
|
||||||
@{bin}/dialog rix,
|
@{bin}/dialog rix,
|
||||||
@{bin}/expr rix,
|
@{bin}/expr rix,
|
||||||
@{bin}/locale rix,
|
@{bin}/locale rix,
|
||||||
|
@{bin}/readlink rix,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
@{bin}/sort rix,
|
@{bin}/sort rix,
|
||||||
@{bin}/stty rix,
|
@{bin}/stty rix,
|
||||||
@{bin}/tr rix,
|
@{bin}/tr rix,
|
||||||
|
|
||||||
|
@{bin}/findmnt rPx,
|
||||||
@{bin}/dpkg rPx -> child-dpkg,
|
@{bin}/dpkg rPx -> child-dpkg,
|
||||||
@{bin}/apt-extracttemplates rPx,
|
@{bin}/apt-extracttemplates rPx,
|
||||||
@{bin}/whiptail rPx,
|
@{bin}/whiptail rPx,
|
||||||
|
|
@ -40,9 +43,12 @@ profile dpkg-preconfigure @{exec_path} {
|
||||||
|
|
||||||
/etc/debconf.conf r,
|
/etc/debconf.conf r,
|
||||||
/etc/default/grub r,
|
/etc/default/grub r,
|
||||||
|
/etc/default/mdadm r,
|
||||||
/etc/inputrc r,
|
/etc/inputrc r,
|
||||||
/etc/locale.gen r,
|
/etc/locale.gen r,
|
||||||
|
/etc/mdadm/mdadm.conf r,
|
||||||
/etc/shadow r,
|
/etc/shadow r,
|
||||||
|
/etc/ssh/sshd_config r,
|
||||||
|
|
||||||
/var/lib/locales/supported.d/{,*} r,
|
/var/lib/locales/supported.d/{,*} r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -23,6 +23,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
ptrace (read),
|
ptrace (read),
|
||||||
|
|
||||||
|
mqueue getattr type=posix /,
|
||||||
mqueue r type=posix /,
|
mqueue r type=posix /,
|
||||||
|
|
||||||
@{exec_path} rm,
|
@{exec_path} rm,
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
|
||||||
@{bin}/kmod rix,
|
@{bin}/kmod rix,
|
||||||
@{bin}/modprobe rix,
|
@{bin}/modprobe rix,
|
||||||
@{bin}/xtables-legacy-multi rix,
|
@{bin}/xtables-legacy-multi rix,
|
||||||
@{bin}/xtables-nft-multi rix,
|
@{bin}/xtables-nft-multi rmix,
|
||||||
|
|
||||||
/usr/local/lib/@{python_name}/dist-packages/ r,
|
/usr/local/lib/@{python_name}/dist-packages/ r,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -53,6 +53,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
|
||||||
/var/lib/polkit{,-1}/localauthority/{,**} r,
|
/var/lib/polkit{,-1}/localauthority/{,**} r,
|
||||||
owner /var/lib/polkit{,-1}/.cache/ rw,
|
owner /var/lib/polkit{,-1}/.cache/ rw,
|
||||||
|
|
||||||
|
@{att}/@{run}/systemd/notify w,
|
||||||
@{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
|
@{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
|
||||||
@{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
|
@{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -108,7 +108,7 @@ profile snapd @{exec_path} {
|
||||||
/etc/modules-load.d/*snap* rw,
|
/etc/modules-load.d/*snap* rw,
|
||||||
/etc/systemd/system/{,**/} r,
|
/etc/systemd/system/{,**/} r,
|
||||||
/etc/systemd/system/snap* rw,
|
/etc/systemd/system/snap* rw,
|
||||||
/etc/systemd/user/{,**/} r,
|
/etc/systemd/user/{,**/} rw,
|
||||||
/etc/systemd/user/**/*snap* rw,
|
/etc/systemd/user/**/*snap* rw,
|
||||||
/etc/systemd/user/*snap* rw,
|
/etc/systemd/user/*snap* rw,
|
||||||
/etc/udev/rules.d/{,*snap*} rw,
|
/etc/udev/rules.d/{,*snap*} rw,
|
||||||
|
|
|
||||||
|
|
@ -59,12 +59,13 @@ profile login @{exec_path} flags=(attach_disconnected) {
|
||||||
|
|
||||||
owner @{user_cache_dirs}/motd.legal-displayed rw,
|
owner @{user_cache_dirs}/motd.legal-displayed rw,
|
||||||
|
|
||||||
|
@{att}/@{run}/systemd/sessions/@{int}.ref w,
|
||||||
|
|
||||||
@{run}/credentials/getty@tty@{int}.service/ r,
|
@{run}/credentials/getty@tty@{int}.service/ r,
|
||||||
@{run}/dbus/system_bus_socket rw,
|
@{run}/dbus/system_bus_socket rw,
|
||||||
@{run}/faillock/@{user} rwk,
|
@{run}/faillock/@{user} rwk,
|
||||||
@{run}/motd.d/{,*} r,
|
@{run}/motd.d/{,*} r,
|
||||||
@{run}/motd.dynamic{,.new} rw,
|
@{run}/motd.dynamic{,.new} rw,
|
||||||
@{run}/systemd/sessions/*.ref rw,
|
|
||||||
|
|
||||||
@{PROC}/@{pids}/cgroup r,
|
@{PROC}/@{pids}/cgroup r,
|
||||||
@{PROC}/1/limits r,
|
@{PROC}/1/limits r,
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ profile landscape-sysinfo.wrapper @{exec_path} {
|
||||||
capability fsetid,
|
capability fsetid,
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@{python_path} mr,
|
||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/bc rix,
|
@{bin}/bc rix,
|
||||||
|
|
|
||||||
|
|
@ -19,11 +19,10 @@ profile mkinitramfs @{exec_path} {
|
||||||
capability fsetid,
|
capability fsetid,
|
||||||
|
|
||||||
@{exec_path} r,
|
@{exec_path} r,
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
|
|
||||||
@{bin}/ r,
|
@{bin}/ r,
|
||||||
@{lib}/ r,
|
@{lib}/ r,
|
||||||
@{lib}64/ r,
|
|
||||||
|
|
||||||
@{bin}/{,e}grep rix,
|
@{bin}/{,e}grep rix,
|
||||||
@{bin}/basename rix,
|
@{bin}/basename rix,
|
||||||
|
|
@ -43,6 +42,7 @@ profile mkinitramfs @{exec_path} {
|
||||||
@{bin}/mkdir rix,
|
@{bin}/mkdir rix,
|
||||||
@{bin}/mktemp rix,
|
@{bin}/mktemp rix,
|
||||||
@{bin}/readlink rix,
|
@{bin}/readlink rix,
|
||||||
|
@{bin}/realpath rix,
|
||||||
@{bin}/rm rix,
|
@{bin}/rm rix,
|
||||||
@{bin}/rmdir rix,
|
@{bin}/rmdir rix,
|
||||||
@{bin}/sed rix,
|
@{bin}/sed rix,
|
||||||
|
|
@ -60,6 +60,7 @@ profile mkinitramfs @{exec_path} {
|
||||||
@{bin}/kmod rCx -> kmod,
|
@{bin}/kmod rCx -> kmod,
|
||||||
@{bin}/ldconfig rCx -> ldconfig,
|
@{bin}/ldconfig rCx -> ldconfig,
|
||||||
@{bin}/ldd rCx -> ldd,
|
@{bin}/ldd rCx -> ldd,
|
||||||
|
@{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd,
|
||||||
@{lib}/ld-linux.so* rCx -> ldd,
|
@{lib}/ld-linux.so* rCx -> ldd,
|
||||||
|
|
||||||
@{bin}/dpkg rPx -> child-dpkg,
|
@{bin}/dpkg rPx -> child-dpkg,
|
||||||
|
|
@ -108,6 +109,8 @@ profile mkinitramfs @{exec_path} {
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
@{bin}/ldd mr,
|
@{bin}/ldd mr,
|
||||||
|
@{lib}/@{multiarch}/ld-linux-*so* mr,
|
||||||
|
@{lib}/ld-linux.so* mr,
|
||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/kmod mr,
|
@{bin}/kmod mr,
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
||||||
capability sys_resource,
|
capability sys_resource,
|
||||||
capability net_admin,
|
capability net_admin,
|
||||||
|
|
||||||
signal send set=term peer=systemd-tty-ask-password-agent,
|
signal send set=(cont term) peer=systemd-tty-ask-password-agent,
|
||||||
|
|
||||||
@{bin}/systemd-tty-ask-password-agent Px,
|
@{bin}/systemd-tty-ask-password-agent Px,
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -38,6 +38,7 @@ profile run-parts @{exec_path} {
|
||||||
/etc/anacrontab r,
|
/etc/anacrontab r,
|
||||||
/etc/conf.d/snapper{,**} r,
|
/etc/conf.d/snapper{,**} r,
|
||||||
/etc/default/* r,
|
/etc/default/* r,
|
||||||
|
/etc/profile.d/{,**} r,
|
||||||
/etc/snapper/configs/root r,
|
/etc/snapper/configs/root r,
|
||||||
|
|
||||||
# Crontab
|
# Crontab
|
||||||
|
|
@ -159,6 +160,10 @@ profile run-parts @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
network netlink raw,
|
||||||
|
|
||||||
@{sh_path} rix,
|
@{sh_path} rix,
|
||||||
@{bin}/{e,}grep rix,
|
@{bin}/{e,}grep rix,
|
||||||
@{bin}/cat rix,
|
@{bin}/cat rix,
|
||||||
|
|
@ -169,6 +174,7 @@ profile run-parts @{exec_path} {
|
||||||
@{bin}/sort rix,
|
@{bin}/sort rix,
|
||||||
@{bin}/tr rix,
|
@{bin}/tr rix,
|
||||||
@{bin}/uname rix,
|
@{bin}/uname rix,
|
||||||
|
@{bin}/hostname rPx,
|
||||||
|
|
||||||
@{bin}/snap rPUx,
|
@{bin}/snap rPUx,
|
||||||
@{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx,
|
@{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue