feat(profiles): general update.

2023-03-31 16:52:35 +01:00 · 2023-03-31 16:52:35 +01:00 · e927145edb
commit e927145edb
parent 1131fdf412
10 changed files with 31 additions and 5 deletions
--- a/apparmor.d/profiles-g-l/groups
+++ b/apparmor.d/profiles-g-l/groups
@ -10,9 +10,13 @@ include <tunables/global>
 profile groups @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>

  @{exec_path} mr,

+  /etc/group r,
+  /etc/nsswitch.conf r,
+
+  /dev/tty[0-9]* rw,
+
  include if exists <local/groups>
 }
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@ -20,6 +20,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
  capability dac_read_search,
  capability fowner,
  capability fsetid,
+  capability kill,
  capability net_admin,
  capability setgid,
  capability setuid,
@ -28,6 +29,8 @@ profile login @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

+  signal (send) set=(hup,term),
+
  ptrace read,

  dbus send bus=system path=/org/freedesktop/login1
@ -38,13 +41,14 @@ profile login @{exec_path} flags=(attach_disconnected) {

  /{usr/,}bin/{,z,ba,da}sh  rUx,

-  /etc/default/locale r,
  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*} r,
+  /etc/default/locale r,
  /etc/legal r,
+  /etc/machine-id r,
  /etc/motd r,
  /etc/security/group.conf r,
  /etc/security/limits.conf r,
-  @{etc_ro}/security/limits.d/{,*} r,
  /etc/security/pam_env.conf r,
  /etc/shells r,