felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(fsp): add initial sd-umount.

Browse source
This commit is contained in:
Alexandre Pujol 2025-06-17 00:18:39 +02:00
parent d01b7ce7d6
commit fc45e5ee66
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 34 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

34
apparmor.d/groups/_full/sd-umount Normal file
View file

@ -0,0 +1,34 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Part of the systemd (as PID 1) profile.
# sd-umount is a subprofile of sd responsible to handle unmounting operation.
# Only use this profile with a fully configured system. Otherwise it **WILL**
# break your computer. See https://apparmor.pujol.io/full-system-policy/.
# Distributions and other programs can add rules in the usr/sd-umount.d directory
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/umount
profile sd-umount flags=(complain) {
include <abstractions/base>
capability sys_admin,
umount @{efi},
@{exec_path} mr,
@{PROC}/@{pid}/mountinfo r,
include if exists <usr/sd-umount.d>
include if exists <local/sd-umount>
}
# vim:syntax=apparmor