feat(profile): update apt profiles.
This commit is contained in:
Alexandre Pujol
parent
ca1827ea12
commit
b569d44703
11 changed files with 44 additions and 6 deletions
|
|
@ -147,6 +147,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
/tmp/ r,
|
||||
/tmp/apt-changelog-*/ w,
|
||||
/tmp/apt-changelog-*/*.changelog w,
|
||||
/tmp/apt-tmp-index.@{rand6} rw,
|
||||
owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw,
|
||||
owner @{tmp}/apt-dpkg-install-*/ rw,
|
||||
owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w,
|
||||
|
|
@ -190,6 +191,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{bin}/bunzip2 rix,
|
||||
@{bin}/chmod rix,
|
||||
@{bin}/bzip2 rix,
|
||||
@{bin}/gunzip rix,
|
||||
@{bin}/gzip rix,
|
||||
@{bin}/patch rix,
|
||||
|
|
@ -197,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/tar rix,
|
||||
@{bin}/xz rix,
|
||||
|
||||
/etc/dpkg/origins/debian r,
|
||||
/etc/dpkg/origins/* r,
|
||||
|
||||
owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
|
||||
owner @{HOME}/** rwkl -> @{HOME}/**,
|
||||
|
|
|
|||
|
|
@ -25,6 +25,8 @@ profile apt-helper @{exec_path} {
|
|||
|
||||
capability net_admin,
|
||||
|
||||
ptrace read peer=@{p_systemd},
|
||||
|
||||
include if exists <local/apt-helper_systemctl>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -74,6 +74,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
|
|||
@{run}/ubuntu-advantage/aptnews.json rw,
|
||||
owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw,
|
||||
|
||||
@{run}/systemd/resolve/io.systemd.Resolve rw,
|
||||
|
||||
@{PROC}/1/cgroup r,
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
|
||||
|
|
|
|||
|
|
@ -15,6 +15,8 @@ profile deb-systemd-invoke @{exec_path} {
|
|||
capability net_admin,
|
||||
capability sys_resource,
|
||||
|
||||
ptrace read peer=@{p_systemd},
|
||||
|
||||
signal send set=(cont term) peer=systemd-tty-ask-password-agent,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
|
|
|||
|
|
@ -18,6 +18,9 @@ profile dpkg @{exec_path} {
|
|||
capability fowner,
|
||||
capability fsetid,
|
||||
capability setgid,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace read peer=apt,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -14,10 +14,13 @@ profile dpkg-buildflags @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} r,
|
||||
|
||||
/etc/dpkg/origins/debian r,
|
||||
/usr/share/lto-disabled-list/lto-disabled-list r,
|
||||
|
||||
/usr/share/dpkg/cputable r,
|
||||
/usr/share/dpkg/tupletable r,
|
||||
/usr/share/dpkg/abitable r,
|
||||
|
||||
/etc/dpkg/origins/* r,
|
||||
|
||||
owner @{user_config_dirs}/dpkg/buildflags.conf r,
|
||||
|
||||
|
|
|
|||
|
|
@ -11,16 +11,21 @@ include <tunables/global>
|
|||
profile dpkg-checkbuilddeps @{exec_path} flags=(complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/perl>
|
||||
include <abstractions/common/apt>
|
||||
|
||||
@{exec_path} r,
|
||||
|
||||
/etc/dpkg/origins/debian r,
|
||||
|
||||
/var/lib/dpkg/status r,
|
||||
@{bin}/dpkg rPx,
|
||||
@{bin}/@{multiarch}gcc-@{int} mrix,
|
||||
|
||||
/usr/share/dpkg/ostable r,
|
||||
/usr/share/dpkg/cputable r,
|
||||
/usr/share/dpkg/tupletable r,
|
||||
|
||||
/etc/dpkg/origins/* r,
|
||||
|
||||
/var/lib/dpkg/status r,
|
||||
|
||||
# For package building
|
||||
owner @{user_build_dirs}/**/debian/control r,
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
# TODO: merge with dpkg-scripts
|
||||
|
||||
abi <abi/4.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
|
@ -16,8 +18,13 @@ profile dpkg-script-apparmor @{exec_path} {
|
|||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/{,e}grep ix,
|
||||
@{bin}/cat ix,
|
||||
@{bin}/chmod ix,
|
||||
@{bin}/mkdir ix,
|
||||
|
||||
@{bin}/deb-systemd-helper Px,
|
||||
@{bin}/dpkg-maintscript-helper Px,
|
||||
@{bin}/dpkg Px -> child-dpkg,
|
||||
@{bin}/deb-systemd-invoke Px,
|
||||
@{bin}/dpkg-divert ix,
|
||||
@{bin}/systemctl Cx -> systemctl,
|
||||
|
|
|
|||
|
|
@ -114,6 +114,10 @@ profile dpkg-scripts @{exec_path} {
|
|||
capability sys_ptrace,
|
||||
capability sys_resource,
|
||||
|
||||
signal send set=(cont term) peer=systemd-tty-ask-password-agent,
|
||||
|
||||
ptrace read peer=@{p_systemd},
|
||||
|
||||
@{bin}/systemd-tty-ask-password-agent Px,
|
||||
@{pager_path} Px -> child-pager,
|
||||
|
||||
|
|
|
|||
|
|
@ -38,6 +38,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
|
||||
|
||||
#aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/ r,
|
||||
|
|
@ -70,6 +72,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/zsys-system-autosnapshot Px,
|
||||
|
||||
/usr/share/distro-info/* r,
|
||||
/usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r,
|
||||
|
||||
@{etc_ro}/login.defs r,
|
||||
@{etc_ro}/security/capability.conf r,
|
||||
|
|
@ -127,6 +130,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|||
@{PROC}/@{pid}/attr/current r,
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/environ r,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
owner @{PROC}/@{pids}/fd/ r,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue