fear(profile): remove profile for spectre-meltdown-checker.
This commit is contained in:
Alexandre Pujol
parent
31cbe5e2e9
commit
bd487d1b66
1 changed files with 0 additions and 186 deletions
|
|
@ -1,186 +0,0 @@
|
||||||
# apparmor.d - Full set of apparmor profiles
|
|
||||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
|
||||||
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
||||||
# SPDX-License-Identifier: GPL-2.0-only
|
|
||||||
|
|
||||||
abi <abi/4.0>,
|
|
||||||
|
|
||||||
include <tunables/global>
|
|
||||||
|
|
||||||
@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh}
|
|
||||||
profile spectre-meltdown-checker @{exec_path} {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
|
|
||||||
# Needed to read the /dev/cpu/@{int}/msr device
|
|
||||||
capability sys_rawio,
|
|
||||||
|
|
||||||
# Needed to read system logs
|
|
||||||
capability syslog,
|
|
||||||
|
|
||||||
# Used by readlink
|
|
||||||
capability sys_ptrace,
|
|
||||||
ptrace (read),
|
|
||||||
|
|
||||||
@{exec_path} r,
|
|
||||||
|
|
||||||
@{bin}/ r,
|
|
||||||
@{bin}/{,@{multiarch}-}objdump rix,
|
|
||||||
@{bin}/{,@{multiarch}-}readelf rix,
|
|
||||||
@{bin}/{,@{multiarch}-}strings rix,
|
|
||||||
@{sh_path} rix,
|
|
||||||
@{bin}/{,e}grep rix,
|
|
||||||
@{bin}/{,g,m}awk rix,
|
|
||||||
@{bin}/base64 rix,
|
|
||||||
@{bin}/basename rix,
|
|
||||||
@{bin}/bunzip2 rix,
|
|
||||||
@{bin}/cat rix,
|
|
||||||
@{bin}/ccache rCx -> ccache,
|
|
||||||
@{bin}/cut rix,
|
|
||||||
@{bin}/date rix,
|
|
||||||
@{bin}/dd rix,
|
|
||||||
@{bin}/dirname rix,
|
|
||||||
@{bin}/dmesg rix,
|
|
||||||
@{bin}/find rix,
|
|
||||||
@{bin}/gunzip rix,
|
|
||||||
@{bin}/gzip rix,
|
|
||||||
@{bin}/head rix,
|
|
||||||
@{bin}/id rix,
|
|
||||||
@{sbin}/iucode_tool rix,
|
|
||||||
@{bin}/kmod rCx -> kmod,
|
|
||||||
@{bin}/lzop rix,
|
|
||||||
@{bin}/mktemp rix,
|
|
||||||
@{bin}/mount rix,
|
|
||||||
@{bin}/nproc rix,
|
|
||||||
@{bin}/od rix,
|
|
||||||
@{bin}/perl rix,
|
|
||||||
@{bin}/pgrep rCx -> pgrep,
|
|
||||||
@{sbin}/rdmsr rix,
|
|
||||||
@{bin}/readlink rix,
|
|
||||||
@{bin}/rm rix,
|
|
||||||
@{bin}/sed rix,
|
|
||||||
@{bin}/seq rix,
|
|
||||||
@{bin}/sort rix,
|
|
||||||
@{bin}/stat rix,
|
|
||||||
@{bin}/tail rix,
|
|
||||||
@{bin}/tr rix,
|
|
||||||
@{bin}/uname rix,
|
|
||||||
@{bin}/unzip rix,
|
|
||||||
@{bin}/xargs rix,
|
|
||||||
@{bin}/xz rix,
|
|
||||||
@{bin}/zstd rix,
|
|
||||||
|
|
||||||
# To fetch MCE.db from the MCExtractor project
|
|
||||||
@{bin}/wget rCx -> mcedb,
|
|
||||||
@{bin}/sqlite3 rCx -> mcedb,
|
|
||||||
owner @{tmp}/mcedb-* rw,
|
|
||||||
owner @{tmp}/smc-* rw,
|
|
||||||
owner @{tmp}/{,smc-}intelfw-*/ rw,
|
|
||||||
owner @{tmp}/{,smc-}intelfw-*/fw.zip rw,
|
|
||||||
owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw,
|
|
||||||
owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw,
|
|
||||||
|
|
||||||
owner @{HOME}/.mcedb rw,
|
|
||||||
|
|
||||||
/tmp/ r,
|
|
||||||
owner @{tmp}/{config,kernel}-* rw,
|
|
||||||
|
|
||||||
owner /dev/cpu/@{int}/cpuid r,
|
|
||||||
owner /dev/cpu/@{int}/msr rw,
|
|
||||||
owner /dev/kmsg r,
|
|
||||||
|
|
||||||
@{efi}/ r,
|
|
||||||
@{efi}/config r,
|
|
||||||
@{efi}/System.map-* r,
|
|
||||||
@{efi}/vmlinuz-* r,
|
|
||||||
|
|
||||||
@{sys}/devices/system/cpu/vulnerabilities/* r,
|
|
||||||
@{sys}/module/kvm_intel/parameters/ept r,
|
|
||||||
|
|
||||||
@{PROC}/ r,
|
|
||||||
@{PROC}/config.gz r,
|
|
||||||
@{PROC}/cmdline r,
|
|
||||||
@{PROC}/kallsyms r,
|
|
||||||
@{PROC}/modules r,
|
|
||||||
|
|
||||||
# find and denoise
|
|
||||||
@{PROC}/@{pids}/{status,exe} r,
|
|
||||||
@{PROC}/@{pids}/fd/ r,
|
|
||||||
@{PROC}/*/ r,
|
|
||||||
|
|
||||||
/var/lib/dbus/machine-id r,
|
|
||||||
/etc/machine-id r,
|
|
||||||
|
|
||||||
# For shell pwd
|
|
||||||
/root/ r,
|
|
||||||
/etc/ r,
|
|
||||||
|
|
||||||
profile ccache {
|
|
||||||
include <abstractions/base>
|
|
||||||
|
|
||||||
@{bin}/ccache mr,
|
|
||||||
|
|
||||||
@{lib}/llvm-[0-9]*/bin/clang rix,
|
|
||||||
@{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
|
|
||||||
@{bin}/{,@{multiarch}-}g++-[0-9]* rix,
|
|
||||||
|
|
||||||
/media/ccache/*/** rw,
|
|
||||||
|
|
||||||
/etc/debian_version r,
|
|
||||||
|
|
||||||
include if exists <local/spectre-meltdown-checker_ccache>
|
|
||||||
}
|
|
||||||
|
|
||||||
profile pgrep {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/app/pgrep>
|
|
||||||
|
|
||||||
include if exists <local/spectre-meltdown-checker_pgrep>
|
|
||||||
}
|
|
||||||
|
|
||||||
profile mcedb {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/consoles>
|
|
||||||
include <abstractions/nameservice-strict>
|
|
||||||
include <abstractions/ssl_certs>
|
|
||||||
|
|
||||||
deny capability net_admin,
|
|
||||||
|
|
||||||
network inet dgram,
|
|
||||||
network inet6 dgram,
|
|
||||||
network inet stream,
|
|
||||||
network inet6 stream,
|
|
||||||
network netlink raw,
|
|
||||||
|
|
||||||
@{bin}/wget mr,
|
|
||||||
@{bin}/sqlite3 mr,
|
|
||||||
|
|
||||||
/etc/wgetrc r,
|
|
||||||
owner @{HOME}/.wget-hsts rwk,
|
|
||||||
owner @{HOME}/.mcedb rw,
|
|
||||||
|
|
||||||
/tmp/ r,
|
|
||||||
owner @{tmp}/{,smc-}mcedb-* rwk,
|
|
||||||
owner @{tmp}/{,smc-}intelfw-*/fw.zip rw,
|
|
||||||
|
|
||||||
/usr/share/publicsuffix/public_suffix_list.* r,
|
|
||||||
|
|
||||||
include if exists <local/spectre-meltdown-checker_mcedb>
|
|
||||||
}
|
|
||||||
|
|
||||||
profile kmod {
|
|
||||||
include <abstractions/base>
|
|
||||||
include <abstractions/app/kmod>
|
|
||||||
|
|
||||||
capability sys_module,
|
|
||||||
|
|
||||||
owner @{sys}/module/cpuid/** r,
|
|
||||||
owner @{sys}/module/msr/** r,
|
|
||||||
|
|
||||||
include if exists <local/spectre-meltdown-checker_kmod>
|
|
||||||
}
|
|
||||||
|
|
||||||
include if exists <local/spectre-meltdown-checker>
|
|
||||||
}
|
|
||||||
|
|
||||||
# vim:syntax=apparmor
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue