feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
e02b12aa6d
commit
c148aa978c
30 changed files with 202 additions and 71 deletions
49
apparmor.d/profiles-a-f/acpi-powerbtn
Normal file
49
apparmor.d/profiles-a-f/acpi-powerbtn
Normal file
|
|
@ -0,0 +1,49 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
||||
include <tunables/global>
|
||||
|
||||
profile acpi-powerbtn flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
/etc/acpi/powerbtn-acpi-support.sh r,
|
||||
|
||||
/{usr/,}{s,}bin/killall5 rix,
|
||||
/{usr/,}{s,}bin/shutdown rix,
|
||||
/{usr/,}bin/{ba,da,}sh rix,
|
||||
/{usr/,}bin/{e,}grep rix,
|
||||
/{usr/,}bin/dbus-send rix,
|
||||
/{usr/,}bin/pgrep rix,
|
||||
/{usr/,}bin/pinky rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/etc/acpi/powerbtn.sh rix,
|
||||
|
||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||
/{usr/,}bin/ps rPx,
|
||||
|
||||
/{usr/,}bin/fgconsole rCx,
|
||||
|
||||
/usr/share/acpi-support/** r,
|
||||
|
||||
@{PROC} r,
|
||||
@{PROC}/uptime r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
|
||||
deny / r,
|
||||
|
||||
profile fgconsole {
|
||||
include <abstractions/base>
|
||||
|
||||
capability sys_tty_config,
|
||||
|
||||
/{usr/,}bin/fgconsole r,
|
||||
|
||||
/dev/tty rw,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
}
|
||||
|
||||
include if exists <local/acpi-powerbtn>
|
||||
}
|
||||
|
|
@ -21,7 +21,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
|
|||
/{usr/,}bin/{ba,da,}sh rix,
|
||||
/{usr/,}bin/logger rix,
|
||||
|
||||
/etc/acpi/powerbtn-acpi-support.sh rPx -> powerbtn-acpi-support,
|
||||
/etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn,
|
||||
|
||||
/etc/acpi/{,**} r,
|
||||
/etc/acpi/handler.sh rix,
|
||||
|
|
@ -37,45 +37,3 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
include if exists <local/acpid>
|
||||
}
|
||||
|
||||
profile powerbtn-acpi-support flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
/etc/acpi/powerbtn-acpi-support.sh r,
|
||||
|
||||
/{usr/,}{s,}bin/killall5 rix,
|
||||
/{usr/,}{s,}bin/shutdown rix,
|
||||
/{usr/,}bin/{ba,da,}sh rix,
|
||||
/{usr/,}bin/{e,}grep rix,
|
||||
/{usr/,}bin/dbus-send rix,
|
||||
/{usr/,}bin/pgrep rix,
|
||||
/{usr/,}bin/pinky rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/etc/acpi/powerbtn.sh rix,
|
||||
|
||||
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
||||
/{usr/,}bin/ps rPx,
|
||||
|
||||
/{usr/,}bin/fgconsole rCx,
|
||||
|
||||
/usr/share/acpi-support/** r,
|
||||
|
||||
@{PROC} r,
|
||||
@{PROC}/uptime r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
|
||||
deny / r,
|
||||
|
||||
profile fgconsole {
|
||||
include <abstractions/base>
|
||||
|
||||
capability sys_tty_config,
|
||||
|
||||
/{usr/,}bin/fgconsole r,
|
||||
|
||||
/dev/tty rw,
|
||||
owner /dev/tty[0-9]* rw,
|
||||
}
|
||||
|
||||
include if exists <local/powerbtn-acpi-support>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,11 +28,12 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner /tmp/cri-containerd.apparmor.d[0-9]* r,
|
||||
|
||||
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
|
||||
@{sys}/devices/system/cpu/possible r,
|
||||
@{sys}/kernel/security/apparmor/{,**} r,
|
||||
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
deny /apparmor/.null rw,
|
||||
|
||||
|
|
|
|||
|
|
@ -7,9 +7,10 @@ abi <abi/3.0>,
|
|||
|
||||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}bin/fwupd /{usr/,}lib/fwupd/fwupd
|
||||
@{exec_path} = /{usr/,}bin/fwupd @{libexec}/fwupd/fwupd
|
||||
profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-strict>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/openssl>
|
||||
|
|
@ -25,6 +26,41 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
|
||||
network netlink raw,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member={GetConnectionUnixUser,RemoveMatch,RequestName}
|
||||
peer=(name=org.freedesktop.DBus),
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/ModemManager1
|
||||
interface=org.freedesktop.DBus.{Properties,ObjectManager}
|
||||
member={GetAll,GetManagedObjects},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UDisks2/Manager
|
||||
interface=org.freedesktop.{DBus.Properties,UDisks2.Manager}
|
||||
member={GetAll,GetBlockDevices},
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/UPower{,/devices/DisplayDevice}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.fwupd,
|
||||
|
||||
dbus receive bus=system path=/
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll,
|
||||
|
||||
dbus bind bus=system
|
||||
name=org.freedesktop.fwupd,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/{usr/,}bin/gpg rCx -> gpg,
|
||||
|
|
@ -85,6 +121,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
|
||||
/dev/bus/usb/ r,
|
||||
/dev/bus/usb/[0-9]*/[0-9]* rw,
|
||||
/dev/cpu/[0-9]*/msr rw,
|
||||
/dev/drm_dp_aux[0-9]* rw,
|
||||
/dev/gpiochip[0-9]* r,
|
||||
/dev/hidraw[0-9]* rw,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue