Update profiles.

2022-02-08 18:16:45 +00:00 · 2022-02-08 18:16:45 +00:00 · 9ecc1aa240
commit 9ecc1aa240
parent 7274f98fa6
10 changed files with 33 additions and 14 deletions
--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@ -10,9 +10,17 @@ include <tunables/global>
 profile systemd-makefs @{exec_path} {
  include <abstractions/base>

+  capability net_admin,
+  capability sys_resource,
+
  @{exec_path} mr,

  /{usr/,}{s,}bin/mkswap     rPx,

+  @{sys}/devices/virtual/block/zram[0-9]*/ r,
+  @{sys}/devices/virtual/block/zram[0-9]*/** r,
+
+  /dev/zram[0-9]* rwk,
+
  include if exists <local/systemd-makefs>
 }
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -15,17 +15,17 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

-  # (##FIXME##)
-  capability sys_admin,
-  capability net_admin,
-  capability dac_read_search,
+  capability chown,
  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability mknod,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_module,
  capability sys_ptrace,
  capability sys_resource,
-  capability chown,
-  capability fsetid,
-  capability sys_module,
-  capability mknod,

  ptrace (read),