feat(profile): improve the upgrade stack.
This commit is contained in:
Alexandre Pujol
parent
00a8ea1558
commit
99384e6513
7 changed files with 21 additions and 22 deletions
|
|
@ -25,19 +25,13 @@ profile cron @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read) peer=unconfined,
|
||||
|
||||
unix bind type=stream addr=@@{udbus}/bus/cron/system,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} rix,
|
||||
@{bin}/nice rix,
|
||||
@{bin}/ionice rix,
|
||||
@{bin}/exim4 rPx,
|
||||
@{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not
|
||||
# using the run-parts profile we are good
|
||||
|
||||
@{bin}/ionice rix,
|
||||
@{bin}/nice rix,
|
||||
@{bin}/run-parts rCx -> run-parts,
|
||||
@{lib}/sysstat/debian-sa1 rPx,
|
||||
|
||||
/etc/cron.d/{,*} r,
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ profile snapd @{exec_path} {
|
|||
ptrace read peer=@{p_systemd},
|
||||
ptrace read peer=snap{,.*},
|
||||
|
||||
signal send set=kill peer=journalctl,
|
||||
signal send set=kill peer=snapd//journalctl,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/
|
||||
interface=org.freedesktop.login1.Manager
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
capability checkpoint_restore,
|
||||
capability dac_read_search,
|
||||
capability kill,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace read,
|
||||
|
|
@ -27,13 +26,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/systemctl rCx -> systemctl,
|
||||
@{bin}/systemd-detect-virt rPx,
|
||||
@{bin}/udevadm rCx -> udevadm,
|
||||
@{bin}/who rPx,
|
||||
@{lib}/needrestart/* rPx,
|
||||
@{python_path} rix,
|
||||
@{sbin}/unix_chkpwd rPx,
|
||||
|
||||
/etc/needrestart/hook.d/* rPx,
|
||||
/etc/needrestart/notify.d/* rPx,
|
||||
/etc/needrestart/restart.d/* rPx,
|
||||
@{etc_ro}/needrestart/hook.d/* rPx,
|
||||
@{etc_ro}/needrestart/notify.d/* rPx,
|
||||
@{etc_ro}/needrestart/restart.d/* rPx,
|
||||
|
||||
/etc/init.d/* r,
|
||||
/etc/needrestart/{,**} r,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /etc/needrestart/hook.d/*
|
||||
@{exec_path} = @{etc_ro}/needrestart/hook.d/*
|
||||
profile needrestart-hook @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /etc/needrestart/notify.d/*
|
||||
@{exec_path} = @{etc_ro}/needrestart/notify.d/*
|
||||
profile needrestart-notify @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
@ -18,7 +18,10 @@ profile needrestart-notify @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{sh_path} r,
|
||||
@{bin}/fold ix,
|
||||
@{bin}/gettext.sh r,
|
||||
@{bin}/mail Px,
|
||||
@{bin}/notify-send Px,
|
||||
@{bin}/sed ix,
|
||||
|
||||
/etc/needrestart/notify.conf r,
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ abi <abi/4.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /etc/needrestart/restart.d/*
|
||||
@{exec_path} = @{etc_ro}/needrestart/restart.d/*
|
||||
profile needrestart-restart @{exec_path} {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,9 @@ profile pam-auth-update @{exec_path} flags=(complain) {
|
|||
/usr/share/pam{,-configs}/{,*} r,
|
||||
|
||||
/etc/pam.d/* rw,
|
||||
/etc/shadow r,
|
||||
|
||||
/var/lib/dpkg/info/libpam-runtime.templates r,
|
||||
/var/lib/pam/* rw,
|
||||
|
||||
include if exists <local/pam-auth-update>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue