felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): update some core profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2025-09-11 23:26:31 +02:00
parent 4317538747
commit c7b99bb84e
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
10 changed files with 37 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/profiles-g-l/kdump-config
View file

@ -72,6 +72,8 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
capability sys_ptrace, capability sys_ptrace,
ptrace read peer=@{p_systemd},
include if exists <local/kdump-config_systemctl> include if exists <local/kdump-config_systemctl>
} }

2
apparmor.d/profiles-g-l/kdump-tools-init
View file

@ -29,6 +29,8 @@ profile kdump-tools-init @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
ptrace read peer=@{p_systemd},
include if exists <local/kdump-tools-init_systemctl> include if exists <local/kdump-tools-init_systemctl>
} }

2
apparmor.d/profiles-g-l/kdump_mem_estimator
View file

@ -27,6 +27,8 @@ profile kdump_mem_estimator @{exec_path} {
capability net_admin, capability net_admin,
ptrace read peer=@{p_systemd},
include if exists <local/kdump_mem_estimator_systemctl> include if exists <local/kdump_mem_estimator_systemctl>
} }

8
apparmor.d/profiles-g-l/kernel-postinst-kdump
View file

@ -31,8 +31,7 @@ profile kernel-postinst-kdump @{exec_path} {
/ r, / r,
/etc/initramfs-tools/conf.d/{,**} r, /etc/initramfs-tools/{,**} r,
/etc/initramfs-tools/initramfs.conf r,
owner /var/lib/kdump/** rw, owner /var/lib/kdump/** rw,
@ -49,6 +48,11 @@ profile kernel-postinst-kdump @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>
@{sys}/module/*/ r,
@{sys}/module/*/coresize r,
@{sys}/module/*/holders/ r,
@{sys}/module/*/refcnt r,
include if exists <local/kernel-postinst-kdump_kmod> include if exists <local/kernel-postinst-kdump_kmod>
} }

2
apparmor.d/profiles-g-l/logrotate
View file

@ -80,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
capability net_admin, capability net_admin,
capability sys_ptrace, capability sys_ptrace,
ptrace read peer=@{p_systemd},
dbus send bus=system path=/org/freedesktop/systemd1 dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager interface=org.freedesktop.systemd1.Manager
member=KillUnit member=KillUnit

6
apparmor.d/profiles-m-r/initramfs-hooks
View file

@ -10,6 +10,7 @@ include <tunables/global>
profile initramfs-hooks @{exec_path} { profile initramfs-hooks @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/fonts>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@ -37,9 +38,9 @@ profile initramfs-hooks @{exec_path} {
@{lib}/ r, @{lib}/ r,
@{lib}/** mr, @{lib}/** mr,
/usr/share/*/initramfs/{,**} r,
/usr/share/initramfs-tools/{,**} r, /usr/share/initramfs-tools/{,**} r,
/usr/share/plymouth/{,**} r, /usr/share/plymouth/{,**} r,
/usr/share/cryptsetup/initramfs/{,**} r,
/etc/console-setup/{,**} r, /etc/console-setup/{,**} r,
/etc/cryptsetup-initramfs/{,**} r, /etc/cryptsetup-initramfs/{,**} r,
@ -81,8 +82,9 @@ profile initramfs-hooks @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{bin}/ldd mr,
@{bin}/* mr, @{bin}/* mr,
@{sbin}/* mr,
@{lib}/@{multiarch}/ld-linux-*so* mrix, @{lib}/@{multiarch}/ld-linux-*so* mrix,
@{lib}/ld-linux.so* mr, @{lib}/ld-linux.so* mr,

1
apparmor.d/profiles-m-r/mdadm
View file

@ -12,6 +12,7 @@ profile mdadm @{exec_path} flags=(attach_disconnected) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-write> include <abstractions/disks-write>
capability dac_read_search,
capability sys_admin, capability sys_admin,
mqueue (read getattr) type=posix /, mqueue (read getattr) type=posix /,

46
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -33,6 +33,7 @@ profile mkinitramfs @{exec_path} {
@{bin}/cpio rix, @{bin}/cpio rix,
@{bin}/dirname rix, @{bin}/dirname rix,
@{bin}/env rix, @{bin}/env rix,
@{bin}/find rix,
@{bin}/getopt rix, @{bin}/getopt rix,
@{bin}/gzip rix, @{bin}/gzip rix,
@{bin}/id rix, @{bin}/id rix,
@ -56,10 +57,9 @@ profile mkinitramfs @{exec_path} {
@{bin}/xargs rix, @{bin}/xargs rix,
@{bin}/xz rix, @{bin}/xz rix,
@{bin}/zstd rix, @{bin}/zstd rix,
@{sbin}/blkid rPx,
@{lib}/dracut/dracut-install rix, @{lib}/dracut/dracut-install rix,
@{sbin}/blkid rPx,
@{bin}/find rCx -> find,
@{bin}/kmod rCx -> kmod, @{bin}/kmod rCx -> kmod,
@{sbin}/ldconfig rCx -> ldconfig, @{sbin}/ldconfig rCx -> ldconfig,
@{bin}/ldd rCx -> ldd, @{bin}/ldd rCx -> ldd,
@ -113,11 +113,16 @@ profile mkinitramfs @{exec_path} {
@{sys}/bus/ r, @{sys}/bus/ r,
@{sys}/bus/*/drivers/ r, @{sys}/bus/*/drivers/ r,
@{sys}/devices/platform/ r, @{sys}/devices/ r,
@{sys}/devices/platform/**/ r, @{sys}/devices/**/ r,
@{sys}/devices/platform/**/modalias r, @{sys}/devices/**/modalias r,
@{sys}/devices/**/uevent r,
@{sys}/module/compression r, @{sys}/module/compression r,
@{sys}/module/firmware_class/parameters/path r, @{sys}/module/firmware_class/parameters/path r,
@{sys}/class/ r,
@{sys}/class/*/ r,
@{sys}/bus/platform/drivers/simple-framebuffer/ r,
@{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/mounts r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@ -129,17 +134,14 @@ profile mkinitramfs @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{bin}/ldd mr,
@{lib}/@{multiarch}/ld-linux-*so* mr,
@{lib}/ld-linux.so* mr,
@{sh_path} rix, @{sh_path} rix,
@{bin}/kmod mr,
@{lib}/initramfs-tools/bin/* mr,
@{lib}/@{multiarch}/ld-*.so* rix, @{lib}/@{multiarch}/ld-*.so* rix,
@{lib}/ld-*.so{,.2} rix, @{lib}/ld-*.so{,.2} rix,
@{bin}/* mr,
@{sbin}/* mr,
@{lib}/** mr,
include if exists <local/mkinitramfs_ldd> include if exists <local/mkinitramfs_ldd>
} }
@ -160,26 +162,6 @@ profile mkinitramfs @{exec_path} {
include if exists <local/mkinitramfs_ldconfig> include if exists <local/mkinitramfs_ldconfig>
} }
profile find {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/find mr,
# pwd dir
/ r,
/etc/ r,
/root/ r,
/usr/share/initramfs-tools/scripts/{,**/} r,
/etc/initramfs-tools/scripts/{,**/} r,
owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r,
owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r,
include if exists <local/mkinitramfs_find>
}
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod> include <abstractions/app/kmod>

2
apparmor.d/profiles-m-r/needrestart
View file

@ -59,7 +59,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
@{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/environ r, @{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/maps r,
@{PROC}/@{pid}/stat r, @{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/status r,
owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fd/ r,
/dev/ r, /dev/ r,

1
apparmor.d/profiles-m-r/rsyslogd
View file

@ -45,6 +45,7 @@ profile rsyslogd @{exec_path} {
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/kmsg r, @{PROC}/kmsg r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
include if exists <local/rsyslogd> include if exists <local/rsyslogd>
} }