Profiles update.

2021-10-22 15:01:43 +01:00 · 2021-10-22 15:01:43 +01:00 · aac0a93080
commit aac0a93080
parent b91ddfa493
34 changed files with 136 additions and 144 deletions
--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@ -12,11 +12,10 @@ profile systemd-sysctl @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/systemd-common>

-  # Are these needed?
-  deny capability sys_ptrace,
-  deny capability sys_admin,
-  deny capability net_admin,
-  deny capability sys_resource,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_ptrace,
+  # capability sys_resource,

  @{exec_path} mr,

--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@ -37,6 +37,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/sys/kernel/random/boot_id r,

+  # Inherit Silencer
+  deny network inet6 stream,
+  deny network inet stream,
  deny /apparmor/.null rw,

  include if exists <local/systemd-sysusers>