felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profiles): general update.

Browse source
This commit is contained in:
Alexandre Pujol 2023-10-08 14:00:21 +01:00
parent 958cc671b2
commit b5fbef8eef
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
17 changed files with 62 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

36
apparmor.d/profiles-a-f/chronyd
View file

@ -2,6 +2,8 @@
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Based on https://salsa.debian.org/debian/chrony/-/blob/debian/latest/debian/usr.sbin.chronyd
abi <abi/3.0>,
include <tunables/global>
@ -11,11 +13,16 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice-strict>
capability chown,
capability dac_override,
capability dac_read_search,
capability net_admin,
capability net_bind_service,
capability net_raw,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_resource,
capability sys_time,
network inet dgram,
@ -24,14 +31,33 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
/etc/chrony.conf r,
/etc/adjtime r,
/etc/chrony.* r,
/etc/chrony.d/{,*} r,
/etc/chrony/{,**} r,
/var/lib/chrony/drift* rw,
/var/lib/chrony/{,*} rw,
/var/log/chrony/{,*} rw,
@{run}/chrony-dhcp/ r,
@{run}/chrony/chronyd.pid rw,
@{run}/chrony/chronyd.sock rw,
# To sign replies to MS-SNTP clients by the smbd daemon
/var/lib/samba/ntp_signd/socket rw,
@{run}/chrony-dhcp/{,*} r,
@{run}/chrony.*.sock rw,
@{run}/chrony/{,*} rw,
# Allow reading the chronyd configuration file that timemaster(8) generates
@{run}/timemaster/chrony.conf r,
# Using the “tempcomp” directive gives chronyd the ability to improve
# the stability and accuracy of the clock by compensating the temperature
# changes measured by a sensor close to the oscillator.
@{sys}/class/hwmon/hwmon@{int}/temp@{int}_input r,
@{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp@{int}_input r,
/dev/pps@{int} rw,
/dev/ptp@{int} rw,
/dev/rtc{,@{int}} rw,
include if exists <local/chronyd>
}