felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update spectre-meltdown-checker

Browse source
This commit is contained in:
nobodysu 2022-06-22 19:14:43 +00:00 committed by GitHub
parent 4d9a5d6c4d
commit bfe41958d2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

24
apparmor.d/profiles-s-z/spectre-meltdown-checker
View file

@ -64,6 +64,7 @@ profile spectre-meltdown-checker @{exec_path} {
/{usr/,}bin/xargs rix, /{usr/,}bin/xargs rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/nproc rix, /{usr/,}bin/nproc rix,
/{usr/,}bin/date rix,
/{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}bin/ccache rCx -> ccache, /{usr/,}bin/ccache rCx -> ccache,
@ -74,13 +75,12 @@ profile spectre-meltdown-checker @{exec_path} {
/{usr/,}bin/sqlite3 rCx -> mcedb, /{usr/,}bin/sqlite3 rCx -> mcedb,
owner /tmp/mcedb-* rw, owner /tmp/mcedb-* rw,
owner /tmp/smc-* rw, owner /tmp/smc-* rw,
owner /tmp/intelfw-*/ rw, owner /tmp/{,smc-}intelfw-*/ rw,
owner /tmp/intelfw-*/fw.zip rw, owner /tmp/{,smc-}intelfw-*/fw.zip rw,
owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw, owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw,
owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw, owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw,
owner @{HOME}/.mcedb rw, owner @{HOME}/.mcedb rw,
owner @{exec_path} w,
/tmp/ r, /tmp/ r,
owner /tmp/{config,kernel}-* rw, owner /tmp/{config,kernel}-* rw,
@ -113,7 +113,6 @@ profile spectre-meltdown-checker @{exec_path} {
/root/ r, /root/ r,
/etc/ r, /etc/ r,
profile ccache { profile ccache {
include <abstractions/base> include <abstractions/base>
@ -152,15 +151,24 @@ profile spectre-meltdown-checker @{exec_path} {
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
deny capability net_admin,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
/{usr/,}bin/wget mr, /{usr/,}bin/wget mr,
/{usr/,}bin/sqlite3 mr, /{usr/,}bin/sqlite3 mr,
/etc/wgetrc r, /etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk, owner @{HOME}/.wget-hsts rwk,
owner @{HOME}/.mcedb rw,
/tmp/ r, /tmp/ r,
owner /tmp/mcedb-* rwk, owner /tmp/{,smc-}mcedb-* rwk,
owner /tmp/intelfw-*/fw.zip rw, owner /tmp/{,smc-}intelfw-*/fw.zip rw,
/usr/share/publicsuffix/public_suffix_list.* r, /usr/share/publicsuffix/public_suffix_list.* r,