diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 85ce02b6..89af52d3 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{,s}bin/acpid +@{exec_path} = /{usr/,}{s,}bin/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include @@ -20,25 +20,24 @@ profile acpid @{exec_path} flags=(attach_disconnected) { /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/logger rix, + /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh, + /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, - /dev/input/{,**} r, - /dev/tty rw, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid r, - owner @{run}/acpid.socket rw, owner @{run}/acpid.pid rw, - /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh, + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/loginuid r, + + /dev/input/{,**} r, + /dev/tty rw, include if exists } profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { - /etc/acpi/powerbtn-acpi-support.sh r, include include @@ -47,16 +46,8 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { ptrace (read), # unconfined, tighten later, TODO - deny / r, + /etc/acpi/powerbtn-acpi-support.sh r, - @{PROC} r, - @{PROC}/uptime r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - - /usr/share/acpi-support/** r, - /{usr/,}bin/sed rix, /{usr/,}bin/pgrep rix, /{usr/,}bin/{,e}grep rix, @@ -72,14 +63,25 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { /{usr/,}bin/fgconsole rCx, profile fgconsole /usr/bin/fgconsole { - /{usr/,}bin/fgconsole r, include capability sys_tty_config, + /{usr/,}bin/fgconsole r, + /dev/tty rw, owner /dev/tty[0-9]* rw, } - include if exists + /usr/share/acpi-support/** r, + + deny / r, + + @{PROC} r, + @{PROC}/uptime r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, + + include if exists }