LVM and general update (#68)

* Small fixes * General update * Add LVM * Various small fixes * Add profile * Typo * sbin to regex * Date and time to extends * Read cmdline * Remove grep duplicate * Small fixes * Typo * Permissions for warning scripts * Add net_admin for multipath
2022-09-06 23:01:17 +02:00 · 2022-09-06 23:01:17 +02:00 · 9818daba5f
commit 9818daba5f
parent 1649b427f8
19 changed files with 237 additions and 49 deletions
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/lvm
+profile lvm @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+  include <abstractions/disks-write>
+
+  capability sys_admin,
+  capability sys_nice,
+  capability net_admin,
+
+  @{exec_path} rm,
+
+  /etc/lvm/** r,
+
+  @{run}/lvm/** rwk,
+  @{run}/lock/lvm/* rwk,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
+
+        @{PROC}/devices r,
+  owner @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/mapper/control rw,
+
+  include if exists <local/lvm>
+}
--- a/apparmor.d/profiles-g-l/lvmconfig
+++ b/apparmor.d/profiles-g-l/lvmconfig
@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/lvmconfig
+profile lvmconfig @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  /etc/lvm/** rw,
+
+  include if exists <local/lvmconfig>
+}
+
--- a/apparmor.d/profiles-g-l/lvmdump
+++ b/apparmor.d/profiles-g-l/lvmdump
@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/lvmdump
+profile lvmdump @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+
+  @{exec_path} rm,
+
+  include if exists <local/lvmdump>
+}
+
--- a/apparmor.d/profiles-g-l/lvmpolld
+++ b/apparmor.d/profiles-g-l/lvmpolld
@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/lvmpolld
+profile lvmpolld @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} rm,
+  /{usr/,}bin/grep rix,
+  /{usr/,}bin/umount rPx,
+
+  @{run}/lvmpolld.pid rwk,
+
+  include if exists <local/lvmpolld>
+}