From 099a97cb365c8ca1a0451cf32c14124167a38845 Mon Sep 17 00:00:00 2001 From: Jeroen Rijken Date: Mon, 1 Aug 2022 18:31:32 +0200 Subject: [PATCH] General update --- apparmor.d/groups/apt/apt-methods-gpgv | 2 ++ apparmor.d/groups/apt/dpkg | 1 + apparmor.d/groups/apt/unattended-upgrade | 9 +++++++- apparmor.d/groups/freedesktop/fc-cache | 3 +++ apparmor.d/groups/freedesktop/pulseaudio | 7 ++++++ apparmor.d/groups/gpg/gpg | 2 ++ apparmor.d/groups/gpg/gpgconf | 2 ++ apparmor.d/groups/gpg/gpgsm | 2 ++ apparmor.d/groups/grub/grub-editenv | 2 ++ apparmor.d/groups/network/ModemManager | 4 ++++ apparmor.d/groups/pacman/mkinitcpio | 2 +- apparmor.d/groups/systemd/child-systemctl | 2 ++ apparmor.d/groups/systemd/systemd-analyze | 16 +++++++++++++ apparmor.d/groups/ubuntu/update-grub | 1 + apparmor.d/groups/virt/containerd | 2 ++ apparmor.d/groups/virt/k3s | 2 +- apparmor.d/profiles-a-f/boltd | 23 +++++++++++++++++- apparmor.d/profiles-a-f/dkms | 9 +++++++- apparmor.d/profiles-a-f/dkms-autoinstaller | 11 ++++----- apparmor.d/profiles-a-f/fwupdmgr | 27 ++++++++++++++++++++++ apparmor.d/profiles-m-r/mkinitramfs | 12 ++++++---- apparmor.d/profiles-m-r/mount-zfs | 1 + apparmor.d/profiles-m-r/run-parts | 4 +++- apparmor.d/profiles-s-z/sudo | 2 +- apparmor.d/profiles-s-z/zfs | 1 + apparmor.d/profiles-s-z/zsysd | 11 +++++---- 26 files changed, 137 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index aa8b7ad1..74786b57 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -82,6 +82,8 @@ profile apt-methods-gpgv @{exec_path} { # Local keyring storage /etc/apt/keyrings/ r, /etc/apt/keyrings/*.{gpg,asc} r, + /usr/share/keyrings/ r, + /usr/share/keyrings/*.{gpg,asc} r, # Extrepo keyring storage /var/lib/extrepo/keys/*.{gpg,asc} r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 77aa271b..0593605a 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -76,6 +76,7 @@ profile dpkg @{exec_path} { owner /tmp/apt-dpkg-install-*/ r, /var/log/dpkg.log w, + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, @{run}/systemd/userdb/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 73f58183..9ea5fe83 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager - member={CheckPermissions,StateChanged}, + member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved}, @{exec_path} mr, @@ -80,6 +80,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, + /etc/debian_version r, + /etc/dpkg/origins/{debian,ubuntu,} r, + /etc/issue{.net,} r, + /etc/legal r, + /etc/lsb-release r, + /etc/profile.d/* r, + /etc/update-motd.d/* r, /etc/update-manager/{,**} r, /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r, diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache index 8d0b9fe6..f0fb0c23 100644 --- a/apparmor.d/groups/freedesktop/fc-cache +++ b/apparmor.d/groups/freedesktop/fc-cache @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -20,6 +21,8 @@ profile fc-cache @{exec_path} { /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl, /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl, + /var/tmp/mkinitramfs_*/{**,} rwl, + # Silencer deny network inet6 stream, deny network inet stream, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 2a8d08de..2518c579 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -127,6 +127,13 @@ profile pulseaudio @{exec_path} { member=Get peer=(name=/org/freedesktop/hostname[0-9]), + dbus (send) + bus=system + path=/org.freedesktop.hostname[0-9] + interface=org.freedesktop.DBus.Prope + member=Get + peer=(name=/org/freedesktop/hostname[0-9]), + @{exec_path} mrix, /{usr/,}@{libexec}/pulse/gsettings-helper mrix, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index e7b4d13f..025963f0 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -14,6 +14,8 @@ profile gpg @{exec_path} { include include + capability dac_read_search, + network netlink raw, @{exec_path} mrix, diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf index e5ba0a3b..ab5f2ef8 100644 --- a/apparmor.d/groups/gpg/gpgconf +++ b/apparmor.d/groups/gpg/gpgconf @@ -12,6 +12,8 @@ profile gpgconf @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, /{usr/,}bin/gpg-connect-agent rPx, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 9792071b..9f231c4f 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -11,6 +11,8 @@ profile gpgsm @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, deny /usr/bin/.gnupg/ w, diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 419e46c7..68dcf3fb 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -13,6 +13,8 @@ profile grub-editenv @{exec_path} flags=(complain) { @{exec_path} rm, + /boot/grub/grubenv rw, + include if exists } diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 0919ba88..6e56b537 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -31,6 +31,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects, + dbus receive bus=system path=/org/freedesktop/ModemManager[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority interface=org.freedesktop.PolicyKit[0-9].Authority member=Changed, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 050fdd2c..45758f40 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -27,7 +27,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/cp rix, /{usr/,}bin/dd rix, /{usr/,}bin/find rix, - /{usr/,}bin/findmnt rix, + /{usr/,}bin/findmnt rPx, /{usr/,}bin/fsck rix, /{usr/,}bin/gawk rix, /{usr/,}bin/grep rix, diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl index 338f4f98..d4c6def1 100644 --- a/apparmor.d/groups/systemd/child-systemctl +++ b/apparmor.d/groups/systemd/child-systemctl @@ -35,6 +35,8 @@ profile child-systemctl flags=(attach_disconnected) { /etc/systemd/user/{,**} rwl, + @{run}/systemd/private rw, + owner @{PROC}/@{pid}/stat r, @{PROC}/sys/kernel/osrelease r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 400bcac6..a59ecdd3 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -11,11 +11,24 @@ include profile systemd-analyze @{exec_path} { include include + include include capability sys_resource, capability net_admin, + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=ListUnits, + + dbus send bus=system path=/org/freedesktop/systemd1/unit/* + interface=org.freedesktop.DBus.Properties + member=GetAll, + signal (send) peer=child-pager, network inet dgram, @@ -38,7 +51,10 @@ profile systemd-analyze @{exec_path} { owner /tmp/systemd-temporary-*/ rw, + @{run}/systemd/generator/ r, + @{run}/systemd/private rw, @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, @{run}/udev/data/* r, @{run}/udev/tags/systemd/ r, diff --git a/apparmor.d/groups/ubuntu/update-grub b/apparmor.d/groups/ubuntu/update-grub index b1711633..e9d5d335 100644 --- a/apparmor.d/groups/ubuntu/update-grub +++ b/apparmor.d/groups/ubuntu/update-grub @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{s,}bin/update-grub{2,} profile update-grub @{exec_path} flags=(complain) { include + include @{exec_path} rm, /{usr/,}bin/{,ba,da}sh rix, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index d3e3325c..bfdcd25e 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability fsetid, capability fowner, + capability mknod, capability net_admin, + capability setfcap, capability sys_admin, network inet dgram, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index dcf8745a..38fef08b 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -27,7 +27,7 @@ profile k3s @{exec_path} { capability sys_resource, ptrace peer=@{profile_name}, - ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined}, + ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined}, # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix. diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index e46ecbe3..3939617a 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -16,12 +16,32 @@ profile boltd @{exec_path} flags=(attach_disconnected) { network netlink raw, + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=RequestName, + + dbus receive bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus receive bus=system path=/org/freedesktop/bolt + interface=org.freedesktop.bolt1.Manager + member=ListDevices, + + dbus bind bus=system + name=org.freedesktop.bolt, + @{exec_path} mr, /var/lib/boltd/{,**} rw, owner @{run}/boltd/{,**} rw, + @{run}/systemd/notify @{run}/systemd/journal/socket w, @{run}/udev/data/+thunderbolt:* r, @@ -37,7 +57,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r, @{sys}/devices/platform/**/uevent r, + @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, include if exists -} \ No newline at end of file +} diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index bd4ddff7..1bbba64b 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2021 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +12,7 @@ include profile dkms @{exec_path} flags=(attach_disconnected) { include include + include include capability dac_read_search, @@ -37,7 +39,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/rmdir rix, /{usr/,}bin/find rix, /{usr/,}bin/{,e}grep rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{,g,m}awk rix, /{usr/,}bin/cp rix, /{usr/,}bin/date rix, /{usr/,}bin/ln rix, @@ -62,6 +64,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix, /{usr/,}lib/modules/*/build/tools/objtool/objtool rix, + /var/lib/dkms/**/dkms.postbuild rix, + / r, /{usr/,}lib/modules/*/updates/ rw, /{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw, @@ -106,6 +110,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/kmod mr, + /etc/depmod.d/{,ubuntu.conf} r, + /etc/ssl/openssl.cnf r, + @{PROC}/cmdline r, /{usr/,}lib/modules/*/modules.* rw, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index 8dd6e33b..677acfbb 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,15 +14,13 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, - - /{usr/,}bin/readlink rix, - /{usr/,}bin/tput rix, + /{usr/,}{s,}bin/dkms rPx, /{usr/,}bin/echo rix, - - /{usr/,}{s,}bin/dkms rPx, - + /{usr/,}bin/plymouth rix, + /{usr/,}bin/readlink rix, /{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/tput rix, # For shell pwd / r, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index f26ab2fa..e5f5e472 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -17,14 +17,40 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { include include + capability sys_nice, + signal (send), + +ALLOWED fwupdmgr dbus_method_call org.freedesktop.fwupd send bus=system path=/ interface=org.freedesktop.fwupd member=UpdateMetadata peer_label=unconfined + + network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/ + interface=org.freedesktop.fwupd + member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata}, + + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.DBus.Properties + member=GetAll, + + dbus send bus=system path=/org/freedesktop/systemd[0-9] + interface=org.freedesktop.systemd[0-9].Manager + member={GetDefaultTarget,GetUnit}, + + dbus receive bus=system path=/ + interface=org.freedesktop.fwupd + member=Changed, + @{exec_path} mr, /{usr/,}bin/dbus-launch rCx -> dbus, @@ -38,6 +64,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) { owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, owner @{user_cache_dirs}/ rw, + @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/fwupd/ rw, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 35c7caba..c2e4c5b7 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -53,10 +54,11 @@ profile mkinitramfs @{exec_path} { /{usr/,}bin/xz rix, /{usr/,}bin/zstd rix, - /{usr/,}bin/ldd rCx -> ldd, - /{usr/,}sbin/ldconfig rCx -> ldconfig, - /{usr/,}bin/find rCx -> find, - /{usr/,}bin/kmod rCx -> kmod, + /{usr/,}bin/ldd rCx -> ldd, + /{usr/,}lib{32,64}/ld-linux.so.2 rCx -> ldd, + /{usr/,}sbin/ldconfig rCx -> ldconfig, + /{usr/,}bin/find rCx -> find, + /{usr/,}bin/kmod rCx -> kmod, /{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/linux-version rPx, @@ -103,7 +105,7 @@ profile mkinitramfs @{exec_path} { /{usr/,}lib/initramfs-tools/bin/* mr, /{usr/,}lib/@{multiarch}/ld-*.so* rix, - /{usr/,}lib{,x}32/ld-*.so rix, + /{usr/,}lib{,x}32/ld-*.so{,.2} rix, } diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs index 6d460635..723a7480 100644 --- a/apparmor.d/profiles-m-r/mount-zfs +++ b/apparmor.d/profiles-m-r/mount-zfs @@ -12,6 +12,7 @@ profile mount-zfs @{exec_path} flags=(complain) { include include + capability dac_read_search, capability sys_admin, # To mount anything. @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index be940b18..a7d9750d 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only abi , @@ -142,6 +143,7 @@ profile run-parts @{exec_path} { profile kernel { include include + include capability sys_module, @@ -151,7 +153,7 @@ profile run-parts @{exec_path} { /{usr/,}bin/chmod rix, /{usr/,}bin/cut rix, /{usr/,}bin/dirname rix, - /{usr/,}bin/gawk rix, + /{usr/,}bin/{,m,g}awk rix, /{usr/,}bin/kmod rix, /{usr/,}bin/mv rix, /{usr/,}bin/rm rix, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index ed41a2e3..cc89bfd4 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -37,7 +37,7 @@ profile sudo @{exec_path} { signal (send) peer=unconfined, signal (send) set=(cont,hup) peer=su, - signal (send) set=winch peer=apt, + signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot}, dbus send bus=system path=/org/freedesktop/login[0-9] interface=org.freedesktop.login[0-9].Manager diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index 7482e9ea..cb36774d 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -9,6 +9,7 @@ include @{exec_path} = /{usr/,}{local/,}{s,}bin/zfs profile zfs @{exec_path} { include + include capability sys_admin, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index d1dcc5ac..a0141ae1 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -23,7 +23,8 @@ profile zsysd @{exec_path} flags=(complain) { @{exec_path} rmix, /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, - /{usr/,}{s,}bin/update-grub rPUx, + # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 + /{usr/,}{s,}bin/update-grub rPx, /etc/hostid r, /etc/zsys.conf r, @@ -35,10 +36,10 @@ profile zsysd @{exec_path} flags=(complain) { @{run}/zsys-snapshot.unattended-upgrades rw, @{run}/zsysd.sock rw, - owner @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/mounts r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/spl/hostid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/mounts r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/spl/hostid r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,