mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

General update

Browse source
This commit is contained in:
Jeroen Rijken 2022-08-01 18:31:32 +02:00 committed by Alex
parent 575d781c88
commit 099a97cb36
26 changed files with 137 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/apt/apt-methods-gpgv
View file

@ -82,6 +82,8 @@ profile apt-methods-gpgv @{exec_path} {
# Local keyring storage # Local keyring storage
/etc/apt/keyrings/ r, /etc/apt/keyrings/ r,
/etc/apt/keyrings/*.{gpg,asc} r, /etc/apt/keyrings/*.{gpg,asc} r,
/usr/share/keyrings/ r,
/usr/share/keyrings/*.{gpg,asc} r,
# Extrepo keyring storage # Extrepo keyring storage
/var/lib/extrepo/keys/*.{gpg,asc} r, /var/lib/extrepo/keys/*.{gpg,asc} r,

1
apparmor.d/groups/apt/dpkg
View file

@ -76,6 +76,7 @@ profile dpkg @{exec_path} {
owner /tmp/apt-dpkg-install-*/ r, owner /tmp/apt-dpkg-install-*/ r,
/var/log/dpkg.log w, /var/log/dpkg.log w,
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
@{run}/systemd/userdb/ r, @{run}/systemd/userdb/ r,

9
apparmor.d/groups/apt/unattended-upgrade
View file

@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
dbus receive bus=system path=/org/freedesktop/NetworkManager dbus receive bus=system path=/org/freedesktop/NetworkManager
interface=org.freedesktop.NetworkManager interface=org.freedesktop.NetworkManager
member={CheckPermissions,StateChanged}, member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved},
@{exec_path} mr, @{exec_path} mr,
@ -80,6 +80,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
/etc/apt/*.list r, /etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r, /etc/apt/apt.conf.d/{,**} r,
/etc/debian_version r,
/etc/dpkg/origins/{debian,ubuntu,} r,
/etc/issue{.net,} r,
/etc/legal r,
/etc/lsb-release r,
/etc/profile.d/* r,
/etc/update-motd.d/* r,
/etc/update-manager/{,**} r, /etc/update-manager/{,**} r,
/etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r, /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,

3
apparmor.d/groups/freedesktop/fc-cache
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -20,6 +21,8 @@ profile fc-cache @{exec_path} {
/var/cache/fontconfig/*.cache-[0-9]*.LCK rwl, /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
/var/cache/fontconfig/CACHEDIR.TAG.LCK rwl, /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
/var/tmp/mkinitramfs_*/{**,} rwl,
# Silencer # Silencer
deny network inet6 stream, deny network inet6 stream,
deny network inet stream, deny network inet stream,

7
apparmor.d/groups/freedesktop/pulseaudio
View file

@ -127,6 +127,13 @@ profile pulseaudio @{exec_path} {
member=Get member=Get
peer=(name=/org/freedesktop/hostname[0-9]), peer=(name=/org/freedesktop/hostname[0-9]),
dbus (send)
bus=system
path=/org.freedesktop.hostname[0-9]
interface=org.freedesktop.DBus.Prope
member=Get
peer=(name=/org/freedesktop/hostname[0-9]),
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}@{libexec}/pulse/gsettings-helper mrix, /{usr/,}@{libexec}/pulse/gsettings-helper mrix,

2
apparmor.d/groups/gpg/gpg
View file

@ -14,6 +14,8 @@ profile gpg @{exec_path} {
include <abstractions/user-download-strict> include <abstractions/user-download-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search,
network netlink raw, network netlink raw,
@{exec_path} mrix, @{exec_path} mrix,

2
apparmor.d/groups/gpg/gpgconf
View file

@ -12,6 +12,8 @@ profile gpgconf @{exec_path} {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search,
@{exec_path} mrix, @{exec_path} mrix,
/{usr/,}bin/gpg-connect-agent rPx, /{usr/,}bin/gpg-connect-agent rPx,

2
apparmor.d/groups/gpg/gpgsm
View file

@ -11,6 +11,8 @@ profile gpgsm @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search,
@{exec_path} mr, @{exec_path} mr,
deny /usr/bin/.gnupg/ w, deny /usr/bin/.gnupg/ w,

2
apparmor.d/groups/grub/grub-editenv
View file

@ -13,6 +13,8 @@ profile grub-editenv @{exec_path} flags=(complain) {
@{exec_path} rm, @{exec_path} rm,
/boot/grub/grubenv rw,
include if exists <local/grub-editenv> include if exists <local/grub-editenv>
} }

4
apparmor.d/groups/network/ModemManager
View file

@ -31,6 +31,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
interface=org.freedesktop.DBus.ObjectManager interface=org.freedesktop.DBus.ObjectManager
member=GetManagedObjects, member=GetManagedObjects,
dbus receive bus=system path=/org/freedesktop/ModemManager[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
interface=org.freedesktop.PolicyKit[0-9].Authority interface=org.freedesktop.PolicyKit[0-9].Authority
member=Changed, member=Changed,

2
apparmor.d/groups/pacman/mkinitcpio
View file

@ -27,7 +27,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/{usr/,}bin/dd rix, /{usr/,}bin/dd rix,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/findmnt rix, /{usr/,}bin/findmnt rPx,
/{usr/,}bin/fsck rix, /{usr/,}bin/fsck rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/gawk rix,
/{usr/,}bin/grep rix, /{usr/,}bin/grep rix,

2
apparmor.d/groups/systemd/child-systemctl
View file

@ -35,6 +35,8 @@ profile child-systemctl flags=(attach_disconnected) {
/etc/systemd/user/{,**} rwl, /etc/systemd/user/{,**} rwl,
@{run}/systemd/private rw,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/1/environ r, @{PROC}/1/environ r,

16
apparmor.d/groups/systemd/systemd-analyze
View file

@ -11,11 +11,24 @@ include <tunables/global>
profile systemd-analyze @{exec_path} { profile systemd-analyze @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability sys_resource, capability sys_resource,
capability net_admin, capability net_admin,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/systemd1
interface=org.freedesktop.systemd1.Manager
member=ListUnits,
dbus send bus=system path=/org/freedesktop/systemd1/unit/*
interface=org.freedesktop.DBus.Properties
member=GetAll,
signal (send) peer=child-pager, signal (send) peer=child-pager,
network inet dgram, network inet dgram,
@ -38,7 +51,10 @@ profile systemd-analyze @{exec_path} {
owner /tmp/systemd-temporary-*/ rw, owner /tmp/systemd-temporary-*/ rw,
@{run}/systemd/generator/ r,
@{run}/systemd/private rw,
@{run}/systemd/system/ r, @{run}/systemd/system/ r,
@{run}/systemd/transient/ r,
@{run}/systemd/userdb/io.systemd.DynamicUser w, @{run}/systemd/userdb/io.systemd.DynamicUser w,
@{run}/udev/data/* r, @{run}/udev/data/* r,
@{run}/udev/tags/systemd/ r, @{run}/udev/tags/systemd/ r,

1
apparmor.d/groups/ubuntu/update-grub
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-grub{2,} @{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
profile update-grub @{exec_path} flags=(complain) { profile update-grub @{exec_path} flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
@{exec_path} rm, @{exec_path} rm,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,

2
apparmor.d/groups/virt/containerd
View file

@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
capability dac_override, capability dac_override,
capability fsetid, capability fsetid,
capability fowner, capability fowner,
capability mknod,
capability net_admin, capability net_admin,
capability setfcap,
capability sys_admin, capability sys_admin,
network inet dgram, network inet dgram,

2
apparmor.d/groups/virt/k3s
View file

@ -27,7 +27,7 @@ profile k3s @{exec_path} {
capability sys_resource, capability sys_resource,
ptrace peer=@{profile_name}, ptrace peer=@{profile_name},
ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined}, ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
# k3s requires ptrace to all AppArmor profiles loaded in Kubernetes # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
# For simplification, let's assume for now all AppArmor profiles start with a predefined prefix. # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.

23
apparmor.d/profiles-a-f/boltd
View file

@ -16,12 +16,32 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
network netlink raw, network netlink raw,
dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName,
dbus receive bus=system path=/org/freedesktop/bolt
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus receive bus=system path=/org/freedesktop/bolt
interface=org.freedesktop.bolt1.Manager
member=ListDevices,
dbus bind bus=system
name=org.freedesktop.bolt,
@{exec_path} mr, @{exec_path} mr,
/var/lib/boltd/{,**} rw, /var/lib/boltd/{,**} rw,
owner @{run}/boltd/{,**} rw, owner @{run}/boltd/{,**} rw,
@{run}/systemd/notify
@{run}/systemd/journal/socket w, @{run}/systemd/journal/socket w,
@{run}/udev/data/+thunderbolt:* r, @{run}/udev/data/+thunderbolt:* r,
@ -37,7 +57,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r,
@{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r, @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r,
@{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/**/uevent r,
@{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,
@{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
include if exists <local/boltd> include if exists <local/boltd>
} }

9
apparmor.d/profiles-a-f/dkms
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -11,6 +12,7 @@ include <tunables/global>
profile dkms @{exec_path} flags=(attach_disconnected) { profile dkms @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
capability dac_read_search, capability dac_read_search,
@ -37,7 +39,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/rmdir rix, /{usr/,}bin/rmdir rix,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/{,e}grep rix, /{usr/,}bin/{,e}grep rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/{,g,m}awk rix,
/{usr/,}bin/cp rix, /{usr/,}bin/cp rix,
/{usr/,}bin/date rix, /{usr/,}bin/date rix,
/{usr/,}bin/ln rix, /{usr/,}bin/ln rix,
@ -62,6 +64,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
/{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix, /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
/{usr/,}lib/modules/*/build/tools/objtool/objtool rix, /{usr/,}lib/modules/*/build/tools/objtool/objtool rix,
/var/lib/dkms/**/dkms.postbuild rix,
/ r, / r,
/{usr/,}lib/modules/*/updates/ rw, /{usr/,}lib/modules/*/updates/ rw,
/{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw, /{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw,
@ -106,6 +110,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
/{usr/,}bin/kmod mr, /{usr/,}bin/kmod mr,
/etc/depmod.d/{,ubuntu.conf} r,
/etc/ssl/openssl.cnf r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
/{usr/,}lib/modules/*/modules.* rw, /{usr/,}lib/modules/*/modules.* rw,

11
apparmor.d/profiles-a-f/dkms-autoinstaller
View file

@ -1,5 +1,6 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -13,15 +14,13 @@ profile dkms-autoinstaller @{exec_path} {
@{exec_path} r, @{exec_path} r,
/{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/{,ba,da}sh rix,
/{usr/,}{s,}bin/dkms rPx,
/{usr/,}bin/readlink rix,
/{usr/,}bin/tput rix,
/{usr/,}bin/echo rix, /{usr/,}bin/echo rix,
/{usr/,}bin/plymouth rix,
/{usr/,}{s,}bin/dkms rPx, /{usr/,}bin/readlink rix,
/{usr/,}bin/run-parts rCx -> run-parts, /{usr/,}bin/run-parts rCx -> run-parts,
/{usr/,}bin/systemctl rPx -> child-systemctl, /{usr/,}bin/systemctl rPx -> child-systemctl,
/{usr/,}bin/tput rix,
# For shell pwd # For shell pwd
/ r, / r,

27
apparmor.d/profiles-a-f/fwupdmgr
View file

@ -17,14 +17,40 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
capability sys_nice,
signal (send), signal (send),
ALLOWED fwupdmgr dbus_method_call org.freedesktop.fwupd send bus=system path=/ interface=org.freedesktop.fwupd member=UpdateMetadata peer_label=unconfined
network inet stream, network inet stream,
network inet6 stream, network inet6 stream,
network inet dgram, network inet dgram,
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
dbus send bus=system path=/
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/
interface=org.freedesktop.fwupd
member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata},
dbus send bus=system path=/org/freedesktop/systemd[0-9]
interface=org.freedesktop.DBus.Properties
member=GetAll,
dbus send bus=system path=/org/freedesktop/systemd[0-9]
interface=org.freedesktop.systemd[0-9].Manager
member={GetDefaultTarget,GetUnit},
dbus receive bus=system path=/
interface=org.freedesktop.fwupd
member=Changed,
@{exec_path} mr, @{exec_path} mr,
/{usr/,}bin/dbus-launch rCx -> dbus, /{usr/,}bin/dbus-launch rCx -> dbus,
@ -38,6 +64,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/ rw,
@{user_cache_dirs}/dconf/user rw,
owner @{user_cache_dirs}/fwupd/ rw, owner @{user_cache_dirs}/fwupd/ rw,
owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,

12
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -53,10 +54,11 @@ profile mkinitramfs @{exec_path} {
/{usr/,}bin/xz rix, /{usr/,}bin/xz rix,
/{usr/,}bin/zstd rix, /{usr/,}bin/zstd rix,
/{usr/,}bin/ldd rCx -> ldd, /{usr/,}bin/ldd rCx -> ldd,
/{usr/,}sbin/ldconfig rCx -> ldconfig, /{usr/,}lib{32,64}/ld-linux.so.2 rCx -> ldd,
/{usr/,}bin/find rCx -> find, /{usr/,}sbin/ldconfig rCx -> ldconfig,
/{usr/,}bin/kmod rCx -> kmod, /{usr/,}bin/find rCx -> find,
/{usr/,}bin/kmod rCx -> kmod,
/{usr/,}bin/dpkg rPx -> child-dpkg, /{usr/,}bin/dpkg rPx -> child-dpkg,
/{usr/,}bin/linux-version rPx, /{usr/,}bin/linux-version rPx,
@ -103,7 +105,7 @@ profile mkinitramfs @{exec_path} {
/{usr/,}lib/initramfs-tools/bin/* mr, /{usr/,}lib/initramfs-tools/bin/* mr,
/{usr/,}lib/@{multiarch}/ld-*.so* rix, /{usr/,}lib/@{multiarch}/ld-*.so* rix,
/{usr/,}lib{,x}32/ld-*.so rix, /{usr/,}lib{,x}32/ld-*.so{,.2} rix,
} }

1
apparmor.d/profiles-m-r/mount-zfs
View file

@ -12,6 +12,7 @@ profile mount-zfs @{exec_path} flags=(complain) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search,
capability sys_admin, # To mount anything. capability sys_admin, # To mount anything.
@{exec_path} mr, @{exec_path} mr,

4
apparmor.d/profiles-m-r/run-parts
View file

@ -1,6 +1,7 @@
# apparmor.d - Full set of apparmor profiles # apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io> # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>, abi <abi/3.0>,
@ -142,6 +143,7 @@ profile run-parts @{exec_path} {
profile kernel { profile kernel {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/nameservice-strict>
capability sys_module, capability sys_module,
@ -151,7 +153,7 @@ profile run-parts @{exec_path} {
/{usr/,}bin/chmod rix, /{usr/,}bin/chmod rix,
/{usr/,}bin/cut rix, /{usr/,}bin/cut rix,
/{usr/,}bin/dirname rix, /{usr/,}bin/dirname rix,
/{usr/,}bin/gawk rix, /{usr/,}bin/{,m,g}awk rix,
/{usr/,}bin/kmod rix, /{usr/,}bin/kmod rix,
/{usr/,}bin/mv rix, /{usr/,}bin/mv rix,
/{usr/,}bin/rm rix, /{usr/,}bin/rm rix,

2
apparmor.d/profiles-s-z/sudo
View file

@ -37,7 +37,7 @@ profile sudo @{exec_path} {
signal (send) peer=unconfined, signal (send) peer=unconfined,
signal (send) set=(cont,hup) peer=su, signal (send) set=(cont,hup) peer=su,
signal (send) set=winch peer=apt, signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot},
dbus send bus=system path=/org/freedesktop/login[0-9] dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager interface=org.freedesktop.login[0-9].Manager

1
apparmor.d/profiles-s-z/zfs
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs @{exec_path} = /{usr/,}{local/,}{s,}bin/zfs
profile zfs @{exec_path} { profile zfs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability sys_admin, capability sys_admin,
capability dac_read_search, capability dac_read_search,

11
apparmor.d/profiles-s-z/zsysd
View file

@ -23,7 +23,8 @@ profile zsysd @{exec_path} flags=(complain) {
@{exec_path} rmix, @{exec_path} rmix,
/{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zfs rPx,
/{usr/,}{local/,}{s,}bin/zpool rPx, /{usr/,}{local/,}{s,}bin/zpool rPx,
/{usr/,}{s,}bin/update-grub rPUx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1
/{usr/,}{s,}bin/update-grub rPx,
/etc/hostid r, /etc/hostid r,
/etc/zsys.conf r, /etc/zsys.conf r,
@ -35,10 +36,10 @@ profile zsysd @{exec_path} flags=(complain) {
@{run}/zsys-snapshot.unattended-upgrades rw, @{run}/zsys-snapshot.unattended-upgrades rw,
@{run}/zsysd.sock rw, @{run}/zsysd.sock rw,
owner @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/stat r,
@{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/mounts r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/spl/hostid r, @{PROC}/sys/kernel/spl/hostid r,
@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,