From 081308db2fa0b1118bb564cef5027700a64ca705 Mon Sep 17 00:00:00 2001 From: Jeroen Date: Mon, 18 Jul 2022 00:04:13 +0200 Subject: [PATCH] Add ZFS Event Daemon (#56) --- apparmor.d/profiles-s-z/zed | 51 +++++++++++++++++++++++++++++++++++++ apparmor.d/profiles-s-z/zfs | 6 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/zed diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed new file mode 100644 index 00000000..4f39770e --- /dev/null +++ b/apparmor.d/profiles-s-z/zed @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022 Jeroen Rijken +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{usr/,}{local/,}{s,}bin/zed +profile zed @{exec_path} flags=(complain) { + include + include + + capability sys_admin, + + network netlink raw, + + @{exec_path} mr, + /{usr/,}bin/basename rix, + /{usr/,}bin/cat rix, + /{usr/,}bin/diff rix, + /{usr/,}bin/expr rix, + /{usr/,}bin/flock rix, + /{usr/,}bin/grep rix, + /{usr/,}bin/ls rix, + /{usr/,}bin/logger rix, + /{usr/,}bin/mawk rix, + /{usr/,}bin/rm rix, + /{usr/,}bin/realpath rix, + /{usr/,}bin/sort rix, + /{usr/,}{local/,}{s,}bin/zpool rPx, + /{usr/,}{local/,}{s,}bin/zfs rPx, + /{usr/,}{local/,}lib/zfs-linux/zed.d/*.sh rix, + + /etc/zfs/zed.d/{,*} r, + /etc/zfs/zfs-list.cache/{,*} rwk, + + @{run}/zed.pid rwkl, + @{run}/zed.state rwkl, + @{run}/zfs-list.cache@* rw, + + @{PROC}/@{pids}/mounts r, + owner @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + + @{sys}/bus/pci/slots/ r, + + /dev/zfs rw, + + include if exists +} diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 1251aa57..388e569d 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -12,10 +12,14 @@ profile zfs @{exec_path} flags=(complain) { capability sys_admin, - @{exec_path} r, + @{exec_path} mr, + + /etc/zfs/zfs-list.cache/{,*} rwk, @{PROC}/@{pids}/mounts r, + @{run}/zfs-list.cache@* rw, + /dev/zfs rw, include if exists