feat(profiles): general update.

2022-06-25 00:16:05 +01:00 · 2022-06-25 00:16:05 +01:00 · fcbe764ccf
commit fcbe764ccf
parent e942c057bd
36 changed files with 154 additions and 74 deletions
--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@ -14,18 +14,20 @@ profile rngd @{exec_path} {

  @{exec_path} mr,

+  capability dac_read_search,
  capability sys_admin,
  capability sys_nice,
-  capability dac_read_search,

  network netlink raw,

-  /etc/opensc.conf r,
  /etc/conf.d/rngd r,
+  /etc/opensc.conf r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

+  @{sys}/devices/virtual/misc/hw_random/rng_available r,
+
  @{PROC}/sys/kernel/random/poolsize r,
  @{PROC}/sys/kernel/random/write_wakeup_threshold rw,

--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -96,6 +96,7 @@ profile run-parts @{exec_path} {
  /etc/kernel/postinst.d/initramfs-tools      rCx -> kernel,
  /etc/kernel/postinst.d/unattended-upgrades  rCx -> kernel,
  /etc/kernel/postinst.d/zz-update-grub       rCx -> kernel,
+  /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel,

  /etc/kernel/postrm.d/ r,
  /etc/kernel/postrm.d/initramfs-tools        rCx -> kernel,
@ -139,6 +140,8 @@ profile run-parts @{exec_path} {
    include <abstractions/base>
    include <abstractions/consoles>

+    capability sys_module,
+
    /{usr/,}bin/{,ba,da}sh rix,
    /{usr/,}bin/{,e}grep   rix,
    /{usr/,}bin/cat        rix,
@ -180,6 +183,7 @@ profile run-parts @{exec_path} {
    /etc/modprobe.d/ r,
    /etc/modprobe.d/*.conf r,

+    @{run}/reboot-required w,
    @{run}/reboot-required.pkgs w,

    @{PROC}/devices r,