felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(profile): apply some fix raised by the test suite.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-22 00:37:50 +01:00
parent 1f869c12ad
commit cca8e6508f
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
24 changed files with 65 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/systemd/systemd-generator-cloud-init
View file

@ -15,6 +15,7 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr,
@{sh_path} rix,
@{bin}/ln rix,
@{bin}/mkdir rix,
@{bin}/systemd-detect-virt rPx,
@{lib}/cloud-init/ds-identify rPUx,
@ -22,6 +23,9 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
@{run}/cloud-init/ w,
@{run}/cloud-init/cloud-init-generator.* rw,
@{run}/cloud-init/disabled w,
@{run}/cloud-init/enabled w,
@{run}/systemd/generator.early/multi-user.target.wants/ w,
@{run}/systemd/generator.early/multi-user.target.wants/cloud-init.target w,
@{PROC}/cmdline r,

2
apparmor.d/groups/systemd/systemd-generator-fstab
View file

@ -19,7 +19,7 @@ profile systemd-generator-fstab @{exec_path} {
/etc/fstab r,
@{run}/systemd/generator/** w,
@{run}/systemd/generator/** rw,
@{PROC}/@{pid}/cgroup r,

1
apparmor.d/groups/systemd/systemd-hostnamed
View file

@ -31,6 +31,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
@{etc_rw}/.#hostname* rw,
@{etc_rw}/hostname rw,
/etc/.#machine-info@{hex16} rw,
/etc/.#machine-info@{rand6} rw,
/etc/machine-id r,
/etc/machine-info rw,

1
apparmor.d/groups/systemd/systemd-notify
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-notify
profile systemd-notify @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
capability sys_admin,
capability net_admin,

7
apparmor.d/groups/systemd/userdbctl
View file

@ -9,11 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/userdbctl
profile userdbctl @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability dac_read_search,
capability sys_resource,
signal send set=cont peer=child-pager,
@{exec_path} mr,
@{pager_path} rPx -> child-pager,
@ -21,7 +24,9 @@ profile userdbctl @{exec_path} {
/etc/shadow r,
/etc/gshadow r,
@{PROC}/1/cgroup r,
@{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/uid_map r,
include if exists <local/userdbctl>
}