felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/groups/systemd/bootctl
Alexandre Pujol 96b8f96137
feat(profiles): general update.
2023-08-22 23:23:47 +01:00

79 lines
No EOL
2.5 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = @{bin}/bootctl
profile bootctl @{exec_path} {
include <abstractions/base>
include <abstractions/systemd-common>
include <abstractions/disks-read>
capability mknod,
capability net_admin,
signal (send) peer=child-pager,
ptrace (read) peer=unconfined,
@{exec_path} mr,
@{bin}/less rPx -> child-pager,
@{bin}/more rPx -> child-pager,
@{bin}/pager rPx -> child-pager,
/{boot,efi}/ r,
/{boot,efi}/EFI/{,**} r,
/{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
/{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
/{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
/{boot,efi}/EFI/systemd/systemd-boot*.efi w,
/{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
/{boot,efi}/loader/.#entries.srel* w,
/{boot,efi}/loader/{,**} r,
/{boot,efi}/loader/entries.srel w,
/{boot,efi}/loader/random-seed w,
/etc/machine-id r,
/etc/machine-info r,
@{run}/host/container-manager r,
@{sys}//class/tpmrm/ r,
@{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
@{sys}/firmware/dmi/entries/*/raw r,
@{sys}/firmware/efi/efivars/ r,
@{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
@{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
@{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
@{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderEntrySelected-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
@{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r,
@{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
@{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
@{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
@{sys}/firmware/efi/fw_platform_size r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/sys/kernel/random/poolsize r,
# Inherit silencer
deny network inet6 stream,
deny network inet stream,
include if exists <local/bootctl>
}
Reference in a new issue View git blame Copy permalink