apparmor.d/profiles/systemd-analyze

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/systemd-analyze
profile systemd-analyze @{exec_path} {
  include <abstractions/base>
  include <abstractions/systemd-common>

  # Needed for the prctl's PR_SET_MM option:
  #  prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted)
  capability sys_resource,

  signal (send) peer=child-pager,

  @{exec_path} mr,

  /{usr/,}bin/pager     rPx -> child-pager,
  /{usr/,}bin/less      rPx -> child-pager,
  /{usr/,}bin/more      rPx -> child-pager,
  /{usr/,}bin/man       rPx,

  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/comm r,
        @{PROC}/swaps r,

  # For systemd-analyze cat-config
  /etc/systemd/** r,
  /{usr/,}lib/systemd/** r,

  @{sys}/fs/cgroup/{,**} r,
  @{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw,
  @{sys}/firmware/acpi/tables/FPDT r,

  @{sys}/module/**/uevent r,
  @{sys}/devices/**/uevent r,
  @{run}/udev/data/* r,

  @{run}/udev/tags/systemd/ r,
  @{run}/systemd/system/ r,
  @{run}/systemd/userdb/io.systemd.DynamicUser w,

  owner /tmp/systemd-temporary-*/ rw,

  /usr/ r,

  /etc/default/locale r,

  include if exists <local/systemd-analyze>
}
Rewrite Copyright header, use SPDX style. 2021-04-01 17:17:47 +02:00			`# apparmor.d - Full set of apparmor profiles`
			`# Copyright (C) 2020-2021 Mikhail Morfikov`
			`# SPDX-License-Identifier: GPL-2.0-only`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`abi <abi/3.0>,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <tunables/global>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`@{exec_path} = /{usr/,}bin/systemd-analyze`
			`profile systemd-analyze @{exec_path} {`
update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include <abstractions/base>`
			`include <abstractions/systemd-common>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`# Needed for the prctl's PR_SET_MM option:`
			`# prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted)`
			`capability sys_resource,`

			`signal (send) peer=child-pager,`

			`@{exec_path} mr,`

			`/{usr/,}bin/pager rPx -> child-pager,`
			`/{usr/,}bin/less rPx -> child-pager,`
			`/{usr/,}bin/more rPx -> child-pager,`
			`/{usr/,}bin/man rPx,`

			`owner @{PROC}/@{pid}/cgroup r,`
			`owner @{PROC}/@{pid}/mountinfo r,`
			`owner @{PROC}/@{pid}/comm r,`
			`@{PROC}/swaps r,`

			`# For systemd-analyze cat-config`
			`/etc/systemd/** r,`
			`/{usr/,}lib/systemd/** r,`

update apparmor profiles 2021-03-13 09:47:36 +01:00			`@{sys}/fs/cgroup/{,**} r,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`@{sys}/fs/cgroup/{systemd,unified}/**/cgroup.procs rw,`
			`@{sys}/firmware/acpi/tables/FPDT r,`

			`@{sys}/module/**/uevent r,`
			`@{sys}/devices/**/uevent r,`
update apparmor profiles 2020-10-25 10:23:34 +01:00			`@{run}/udev/data/* r,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
update apparmor profiles 2020-10-25 10:23:34 +01:00			`@{run}/udev/tags/systemd/ r,`
			`@{run}/systemd/system/ r,`
			`@{run}/systemd/userdb/io.systemd.DynamicUser w,`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00
			`owner /tmp/systemd-temporary-*/ rw,`

			`/usr/ r,`

			`/etc/default/locale r,`

update profiles for apparmor3 2020-12-10 22:33:39 +01:00			`include if exists <local/systemd-analyze>`
move apparmor profiles to a seperate repo 2020-09-12 17:19:23 +02:00			`}`