felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): add some dbus rules.

Browse source
This commit is contained in:
Alexandre Pujol 2023-12-19 23:24:44 +00:00
parent 53f3a27e16
commit 9f49052529
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
36 changed files with 98 additions and 140 deletions
Download patch file Download diff file Expand all files Collapse all files

16
apparmor.d/groups/systemd/hostnamectl
View file

@ -10,25 +10,11 @@ include <tunables/global>
profile hostnamectl @{exec_path} {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.hostname1>
include <abstractions/consoles>
capability net_admin,
dbus send bus=system path=/org/freedesktop/
interface=org.freedesktop.hostname1
member=Set*Hostname
peer=(name=org.freedesktop.hostname1),
dbus send bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.hostname1
member=Set*Hostname
peer=(name=org.freedesktop.hostname1),
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=org.freedesktop.systemd1),
# dbus: talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
@{exec_path} mr,

6
apparmor.d/groups/systemd/networkctl
View file

@ -11,7 +11,6 @@ include <tunables/global>
profile networkctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.network1>
capability net_admin,
capability sys_module,
@ -25,10 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
network inet6 dgram,
network netlink raw,
dbus send bus=system path=/org/freedesktop/network[0-9]
interface=org.freedesktop.DBus.Properties
member=Get
peer=(name=org.freedesktop.network1),
# dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd
@{exec_path} mr,

12
apparmor.d/groups/systemd/systemd-analyze
View file

@ -22,17 +22,7 @@ profile systemd-analyze @{exec_path} {
signal (send) peer=child-pager,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=ListUnits,
dbus send bus=system path=/org/freedesktop/systemd1/unit/*
interface=org.freedesktop.DBus.Properties
member=GetAll,
# dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"
@{exec_path} mr,

2
apparmor.d/groups/systemd/systemd-homed
View file

@ -36,7 +36,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
mount options=(rw, rslave) -> @{run}/,
mount /dev/dm-[0-9]* -> @{run}/systemd/user-home-mount/,
dbus bind bus=system name=org.freedesktop.home1,
# dbus: own bus=system name=org.freedesktop.home1
@{exec_path} mr,

5
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -16,10 +16,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
capability sys_admin, # To set a hostname
dbus bind bus=system name=org.freedesktop.hostname1,
dbus receive bus=system path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
peer=(name=:*),
# dbus: own bus=system name=org.freedesktop.hostname1
@{exec_path} mr,

6
apparmor.d/groups/systemd/systemd-localed
View file

@ -17,11 +17,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
# Needed?
audit capability net_admin,
dbus bind bus=system name=org.freedesktop.locale1,
dbus receive bus=system path=/org/freedesktop/locale1
interface=org.freedesktop.DBus.Properties
member=GetAll
peer=(name=:*),
# dbus: own bus=system name=org.freedesktop.locale1
@{exec_path} mr,

2
apparmor.d/groups/systemd/systemd-oomd
View file

@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
capability dac_override,
capability kill,
dbus bind bus=system name=org.freedesktop.oom1,
# dbus: own bus=system name=org.freedesktop.oom1
@{exec_path} mr,

2
apparmor.d/groups/systemd/systemd-timesyncd
View file

@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
network inet stream,
network inet6 stream,
dbus bind bus=system name=org.freedesktop.timesync1,
# dbus: own bus=system name=org.freedesktop.timesync1
@{exec_path} mr,