feat(profiles): general update.
This commit is contained in:
Alexandre Pujol
parent
6aadd82293
commit
da1b3e1f1c
26 changed files with 114 additions and 126 deletions
|
|
@ -23,6 +23,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
owner /var/cache/apparmor/{,**} rw,
|
||||
owner /var/lib/docker/tmp/docker-default[0-9]* r,
|
||||
owner /var/lib/snapd/apparmor/{,**} r,
|
||||
|
||||
owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
|
||||
@{sys}/kernel/security/apparmor/{,**} r,
|
||||
|
|
|
|||
|
|
@ -16,8 +16,9 @@ profile appstreamcli @{exec_path} flags=(complain) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
# For file validation using the network
|
||||
/{usr/,}bin/curl rCx -> curl,
|
||||
/{usr/,}bin/gzip rix,
|
||||
/{usr/,}bin/tar rix,
|
||||
|
||||
/usr/share/appdata/ r,
|
||||
/usr/share/applications/{,*.desktop} r,
|
||||
|
|
@ -33,15 +34,16 @@ profile appstreamcli @{exec_path} flags=(complain) {
|
|||
owner @{user_cache_dirs}/appstream/appcache-*.mdb rw,
|
||||
owner @{user_share_dirs}/mime/mime.cache r,
|
||||
|
||||
/var/lib/app-info/ w,
|
||||
/var/lib/app-info/yaml/ r,
|
||||
/var/lib/app-info/yaml/*_Components-*.yml.gz w,
|
||||
/var/lib/app-info/ w,
|
||||
/var/lib/apt/lists/ r,
|
||||
/var/lib/apt/lists/*_Components-*.gz r,
|
||||
/var/lib/flatpak/appstream/{,**} r,
|
||||
/var/lib/swcatalog/ rw,
|
||||
/var/lib/swcatalog/icons/{,**} rw,
|
||||
/var/lib/swcatalog/yaml/ rw,
|
||||
/var/lib/swcatalog/yaml/*_Components-*.yml.gz w,
|
||||
/var/lib/flatpak/appstream/{,**} r,
|
||||
|
||||
/var/cache/swcatalog/cache/{,**} rw,
|
||||
owner /var/cache/app-info/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = /{usr/,}{s,}bin/auditd
|
||||
profile auditd @{exec_path} {
|
||||
profile auditd @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
|
|
@ -29,7 +29,8 @@ profile auditd @{exec_path} {
|
|||
|
||||
owner @{run}/auditd.pid rwl,
|
||||
owner @{run}/auditd.state rw,
|
||||
@{run}/systemd/userdb/ r,
|
||||
@{run}/systemd/journal/dev-log w,
|
||||
@{run}/systemd/userdb/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/attr/current r,
|
||||
owner @{PROC}/@{pid}/loginuid r,
|
||||
|
|
|
|||
|
|
@ -19,8 +19,11 @@ profile etckeeper @{exec_path} {
|
|||
|
||||
/{usr/,}bin/{,ba,da}sh rix,
|
||||
/{usr/,}bin/{,e}grep rix,
|
||||
/{usr/,}bin/cat rix,
|
||||
/{usr/,}bin/chmod rix,
|
||||
/{usr/,}bin/cut rix,
|
||||
/{usr/,}bin/diff rix,
|
||||
/{usr/,}bin/dpkg rPx -> child-dpkg,
|
||||
/{usr/,}bin/dpkg-query rpx,
|
||||
/{usr/,}bin/find rix,
|
||||
/{usr/,}bin/getent rix,
|
||||
|
|
@ -34,9 +37,11 @@ profile etckeeper @{exec_path} {
|
|||
/{usr/,}bin/rm rix,
|
||||
/{usr/,}bin/sed rix,
|
||||
/{usr/,}bin/sort rix,
|
||||
/{usr/,}bin/tail rix,
|
||||
/{usr/,}bin/tty rix,
|
||||
/{usr/,}bin/uniq rix,
|
||||
/{usr/,}bin/whoami rix,
|
||||
/{usr/,}bin/xargs rix,
|
||||
/{usr/,}lib/git-core/git* rix,
|
||||
|
||||
/etc/.git/hooks/* rix,
|
||||
|
|
@ -54,7 +59,7 @@ profile etckeeper @{exec_path} {
|
|||
|
||||
@{run}/resolvconf/resolv.conf r,
|
||||
|
||||
owner /tmp/etckeeper-git* rw,
|
||||
/tmp/etckeeper-git* rw,
|
||||
|
||||
profile gpg {
|
||||
include <abstractions/base>
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
# apparmor.d - Full set of apparmor profiles
|
||||
# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
# Copyright (C) 2020-2022 Mikhail Morfikov
|
||||
# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
abi <abi/3.0>,
|
||||
|
|
@ -13,6 +14,7 @@ profile fsck @{exec_path} {
|
|||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
capability sys_rawio,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -21,19 +23,20 @@ profile fsck @{exec_path} {
|
|||
|
||||
/etc/fstab r,
|
||||
|
||||
@{PROC}/partitions r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
owner @{run}/fsck/ rw,
|
||||
owner @{run}/fsck/*.lock rwk,
|
||||
|
||||
# When a mount dir is passed to fsck as an argument.
|
||||
@{MOUNTS}/*/ r,
|
||||
/boot/ r,
|
||||
/home/ r,
|
||||
|
||||
owner @{run}/fsck/ rw,
|
||||
owner @{run}/fsck/*.lock rwk,
|
||||
owner @{run}/blkid/blkid.tab{,-*} rw,
|
||||
owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
|
||||
owner @{run}/systemd/fsck.progress w,
|
||||
@{run}/mount/utab r,
|
||||
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/partitions r,
|
||||
|
||||
include if exists <local/fsck>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,5 +20,7 @@ profile fsck-fat @{exec_path} {
|
|||
owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
|
||||
|
||||
owner @{run}/systemd/fsck.progress rw,
|
||||
|
||||
include if exists <local/fsck-fat>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -86,6 +86,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
|
|||
/dev/bus/usb/ r,
|
||||
/dev/bus/usb/[0-9]*/[0-9]* rw,
|
||||
/dev/drm_dp_aux[0-9]* rw,
|
||||
/dev/hidraw[0-9]* rw,
|
||||
/dev/mei[0-9]* rw,
|
||||
/dev/mem r,
|
||||
/dev/sd[a-z]* r,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue