felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/groups/systemd/bootctl
Alexandre Pujol 7bc248577a
feat(profile): small improvment with systemd.
2025-02-23 20:13:21 +01:00

81 lines
2.6 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/bootctl
profile bootctl @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
include <abstractions/common/systemd>
capability mknod,
capability net_admin,
signal (send) peer=child-pager,
ptrace (read) peer=unconfined,
@{exec_path} mr,
@{pager_path} rPx -> child-pager,
/{boot,efi}/ r,
/{boot,efi}/EFI/{,**} r,
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
/{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
/{boot,efi}/EFI/systemd/systemd-boot*.efi w,
/{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
/{boot,efi}/loader/.#entries.srel* w,
/{boot,efi}/loader/{,**} r,
/{boot,efi}/loader/entries.srel w,
/{boot,efi}/loader/random-seed w,
/etc/machine-id r,
/etc/machine-info r,
@{run}/host/container-manager r,
@{sys}/class/tpmrm/ r,
@{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r,
@{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
@{sys}/firmware/dmi/entries/*/raw r,
@{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
@{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderEntrySelected-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r,
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r,
@{PROC}/sys/kernel/random/poolsize r,
owner @{PROC}/@{pid}/cgroup r,
# Inherit silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/bootctl>
}
# vim:syntax=apparmor
Reference in a new issue View git blame Copy permalink