From d72ed574ce041f887c6516c105bbaf531e4842b0 Mon Sep 17 00:00:00 2001 From: Besanon Date: Mon, 3 Jun 2024 09:49:31 +0200 Subject: [PATCH] Update runsvdir --- apparmor.d/groups/runit/runsvdir | 62 ++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/apparmor.d/groups/runit/runsvdir b/apparmor.d/groups/runit/runsvdir index 8b1378917..7899a9838 100644 --- a/apparmor.d/groups/runit/runsvdir +++ b/apparmor.d/groups/runit/runsvdir @@ -1 +1,63 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_pathrunsvdir} = @{bin}/runsvdir +profile runsvdir @{exec_pathrunsvdir} flags=(attach_disconnected) { + include + include + include + include + include + + capability setgid, + capability setuid, + capability kill, + + signal (send) set=(term, cont, kill), + signal (send) set=(term) peer=/etc/runit/2, + signal (receive) peer=runit, + signal (receive) peer=runsv, + signal (receive) peer=sddm, + + ptrace (read) peer=elogind, + + @{exec_pathrunsvdir} mr, + + @{bin}/dbus-send rix, + @{bin}/runsv rPx, + @{bin}/bash rix, + @{bin}/utmpset rix, + @{bin}/mountpoint rix, + /etc/sv/**/run rix, + /etc/sv/**/**/run rix, + /etc/sv/**/finish rix, + /etc/sv/**/run rix, + /etc/sv/dbus/check rix, + + owner / r, + + /etc/elogind/logind.conf rw, + /etc/machine-id r, + /etc/sv/ r, + /etc/sv/** rw, + /etc/runit/ r, + /etc/runit/** rw, + + owner /dev/tty@{int} rw, + owner /dev/console rwk, + owner /dev/input/event@{int} rw, + + owner /var/log/audit/** rw, + /var/lib/dbus/machine-id r, + + owner /tmp/#@{int}* rw, + owner /tmp/*/{,s} rw, + +}