Update profiles.

2021-09-28 21:53:50 +01:00 · 2021-09-28 21:53:50 +01:00 · b79ffa52c6
commit b79ffa52c6
parent a30fda0ad7
18 changed files with 91 additions and 143 deletions
--- a/apparmor.d/profiles-g-l/htop
+++ b/apparmor.d/profiles-g-l/htop
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,15 +12,9 @@ profile htop @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

-  # To be able to read the /proc/ files of all processes in the system.
  capability dac_read_search,
-
-  # To manage priorities.
-  capability sys_nice,
-
-  # To terminate other users' processes when htop is started as root.
  capability kill,
-
+  capability sys_nice,
  capability sys_ptrace,

  # Needed? (for system state)
@ -34,6 +29,14 @@ profile htop @{exec_path} {

  /usr/share/terminfo/x/xterm-256color r,

+  /etc/sensors.d/ r,
+  /etc/sensors3.conf r,
+
+  owner @{user_config_dirs}/htop/ rw,
+  owner @{user_config_dirs}/htop/htoprc rw,
+
+  owner @{PROC}/@{pid}/smaps_rollup r,
+
  @{PROC}/ r,
  @{PROC}/loadavg r,
  @{PROC}/uptime r,
@ -45,6 +48,8 @@ profile htop @{exec_path} {
  @{PROC}/pressure/memory r,
  @{PROC}/diskstats r,

+  @{PROC}/@{pids}/ r,
+  
  @{PROC}/@{pids}/attr/current r,
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/@{pids}/stat r,
@ -58,6 +63,7 @@ profile htop @{exec_path} {
  @{PROC}/@{pids}/comm r,

  @{PROC}/@{pids}/task/ r,
+  @{PROC}/@{pids}/task/@{tid}/ r,
  @{PROC}/@{pids}/task/@{tid}/attr/current r,
  @{PROC}/@{pids}/task/@{tid}/cmdline r,
  @{PROC}/@{pids}/task/@{tid}/stat r,
@ -72,37 +78,27 @@ profile htop @{exec_path} {
  @{PROC}/@{pids}/task/@{tid}/comm r,
  @{PROC}/@{pids}/net/dev r,

-  owner @{PROC}/@{pid}/smaps_rollup r,
-
-  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
-  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
-  @{sys}/class/i2c-adapter/ r,
-  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
  @{sys}/class/hwmon/ r,
+  @{sys}/class/i2c-adapter/ r,
  @{sys}/class/power_supply/ r,
-  @{sys}/devices/*/name r,
-  @{sys}/devices/**/power_supply/**/{uevent,type,online} r,
-  @{sys}/devices/**/hwmon/ r,
-  @{sys}/devices/**/hwmon/{name,temp*} r,
-  @{sys}/devices/**/hwmon/**/ r,
-  @{sys}/devices/**/hwmon/**/{name,temp*} r,
  @{sys}/devices/**/hwmon[0-9]*/ r,
  @{sys}/devices/**/hwmon[0-9]*/{name,temp*} r,
  @{sys}/devices/**/hwmon[0-9]*/**/ r,
  @{sys}/devices/**/hwmon[0-9]*/**/{name,temp*} r,
+  @{sys}/devices/**/hwmon/ r,
+  @{sys}/devices/**/hwmon/{name,temp*} r,
+  @{sys}/devices/**/hwmon/**/ r,
+  @{sys}/devices/**/hwmon/**/{name,temp*} r,
+  @{sys}/devices/**/power_supply/**/{uevent,type,online} r,
+  @{sys}/devices/*/name r,
+  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
+  @{sys}/devices/system/cpu/cpu[0-9]*/online r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
+  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
+  @{sys}/kernel/mm/hugepages/ r,
+  @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,

-  owner @{user_config_dirs}/htop/ rw,
-  owner @{user_config_dirs}/htop/htoprc rw,
-
-  # When started in TTY, to remove the following error:
-  #  htop[]: *** err
-  #  /dev/tty2: Permission denied
-  #  htop[]: *** err
-  #  htop[]: Oh, oh, it's an error! possibly I die!
  /dev/tty[0-9]* rw,

-  /etc/sensors.d/ r,
-  /etc/sensors3.conf r,
-
  include if exists <local/htop>
 }