feat(profile): update systemd profiles.
This commit is contained in:
Alexandre Pujol
parent
98063fa771
commit
e549863d4a
15 changed files with 45 additions and 13 deletions
|
|
@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected)
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/status r,
|
||||
|
||||
include if exists <local/systemd-generator-system-update>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/4.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/localectl
|
||||
profile localectl @{exec_path} {
|
||||
profile localectl @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/systemd>
|
||||
include <abstractions/bus-system>
|
||||
|
|
|
|||
|
|
@ -45,6 +45,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
deny capability net_admin,
|
||||
deny capability perfmon,
|
||||
deny network (send receive) netlink raw,
|
||||
|
||||
include if exists <local/systemd-detect-virt>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
signal send set=cont peer=child-pager,
|
||||
|
||||
ptrace read peer=unconfined,
|
||||
ptrace read peer=@{p_systemd},
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -44,6 +44,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/devices/virtual/dmi/id/board_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/chassis_type r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/product_serial r,
|
||||
@{sys}/devices/virtual/dmi/id/product_uuid r,
|
||||
@{sys}/devices/virtual/dmi/id/product_version r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/virtual/dmi/id/uevent r,
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted
|
|||
|
||||
network netlink raw,
|
||||
|
||||
ptrace (read),
|
||||
ptrace read,
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
|
|
@ -24,18 +24,30 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/cat ix,
|
||||
@{bin}/gzip ix,
|
||||
@{bin}/localedef ix,
|
||||
@{bin}/rm ix,
|
||||
@{bin}/sort ix,
|
||||
@{sbin}/locale-gen rPx,
|
||||
|
||||
/usr/share/i18n/{,**} r,
|
||||
/usr/share/kbd/keymaps/{,**} r,
|
||||
/usr/share/xkeyboard-config-2/{,**} r,
|
||||
/usr/share/systemd/*-map r,
|
||||
/usr/share/X11/xkb/{,**} r,
|
||||
/usr/share/xkeyboard-config-2/{,**} r,
|
||||
|
||||
/etc/ r,
|
||||
/etc/.#locale.conf@{hex16} rw,
|
||||
/etc/.#locale.gen@{hex16} rw,
|
||||
/etc/.#vconsole.conf* rw,
|
||||
/etc/default/.#locale* rw,
|
||||
/etc/default/keyboard r,
|
||||
/etc/default/locale rw,
|
||||
/etc/locale.conf rw,
|
||||
/etc/locale.gen rw,
|
||||
/etc/nsswitch.conf r,
|
||||
/etc/passwd r,
|
||||
/etc/vconsole.conf rw,
|
||||
/etc/X11/xorg.conf.d/ rw,
|
||||
/etc/X11/xorg.conf.d/.#*.conf@{hex} rw,
|
||||
|
|
|
|||
|
|
@ -124,12 +124,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
|
|||
@{sys}/module/vt/parameters/default_utf8 r,
|
||||
@{sys}/power/{state,resume_offset,resume,disk} r,
|
||||
|
||||
@{PROC}/@{pid}/cgroup r,
|
||||
@{PROC}/@{pid}/comm r,
|
||||
@{PROC}/@{pid}/fd/ r,
|
||||
@{PROC}/@{pid}/mountinfo r,
|
||||
@{PROC}/@{pid}/sessionid r,
|
||||
@{PROC}/@{pid}/stat r,
|
||||
@{PROC}/@{pids}/cgroup r,
|
||||
@{PROC}/@{pids}/comm r,
|
||||
@{PROC}/@{pids}/fd/ r,
|
||||
@{PROC}/@{pids}/mountinfo r,
|
||||
@{PROC}/@{pids}/sessionid r,
|
||||
@{PROC}/@{pids}/stat r,
|
||||
@{PROC}/@{pids}/status r,
|
||||
@{PROC}/1/cmdline r,
|
||||
@{PROC}/pressure/* r,
|
||||
@{PROC}/swaps r,
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
|
|||
capability sys_admin,
|
||||
capability sys_chroot,
|
||||
|
||||
ptrace (read),
|
||||
ptrace read,
|
||||
|
||||
mount options=(rw rshared) -> /,
|
||||
mount options=(rw rslave) -> /,
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/common/systemd>
|
||||
|
||||
capability net_admin,
|
||||
capability sys_admin,
|
||||
capability sys_ptrace,
|
||||
|
||||
network netlink raw,
|
||||
|
|
|
|||
|
|
@ -13,6 +13,8 @@ profile systemd-sleep-hdparm @{exec_path} {
|
|||
@{exec_path} mr,
|
||||
@{sh_path} r,
|
||||
|
||||
@{lib}/pm-utils/power.d/*hdparm-apm ix,
|
||||
|
||||
include if exists <local/systemd-sleep-hdparm>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{lib}/sysstat/sa{1,2} Px,
|
||||
@{lib}/sysstat/debian-sa{1,2} Px,
|
||||
|
||||
include if exists <local/systemd-sleep-sysstat>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} {
|
|||
include <abstractions/base>
|
||||
|
||||
@{exec_path} mr,
|
||||
@{sh_path} r,
|
||||
|
||||
include if exists <local/systemd-sleep-upgrades>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
|
|||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member={DisableUnitFiles,EnableUnitFiles}
|
||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
||||
dbus send bus=system path=/org/freedesktop/systemd1
|
||||
interface=org.freedesktop.systemd1.Manager
|
||||
member={JobRemoved,Reload,StartUnit,StopUnit}
|
||||
peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue