mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(abs): add the app/kmod abstraction.

Browse source
This commit is contained in:
Alexandre Pujol 2024-06-16 21:50:48 +01:00
parent cb4f3af58e
commit 13b35b156e
Failed to generate hash of commit
14 changed files with 53 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
apparmor.d/abstractions/app/kmod Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/consoles>
@{bin}/kmod mr,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
/etc/depmod.d/ r,
/etc/depmod.d/*.conf r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{PROC}/cmdline r,
@{PROC}/modules r,
include if exists <abstractions/app/kmod.d>
# vim:syntax=apparmor

7
apparmor.d/groups/children/child-modprobe-nvidia
View file

@ -57,14 +57,11 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/app/kmod>
capability mknod, capability mknod,
# capability sys_module, # capability sys_module,
@{bin}/kmod mr,
/etc/modprobe.d/{,*.conf} r,
/etc/nvidia/{current,legacy*,tesla*}/*.conf r, /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
# @{sys}/module/ipmi_devintf/initstate r, # @{sys}/module/ipmi_devintf/initstate r,
@ -72,8 +69,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
# @{sys}/module/{drm,nvidia}/initstate r, # @{sys}/module/{drm,nvidia}/initstate r,
@{sys}/module/compression r, @{sys}/module/compression r,
@{PROC}/cmdline r,
include if exists <local/child-modprobe-nvidia_kmod> include if exists <local/child-modprobe-nvidia_kmod>
} }

10
apparmor.d/groups/freedesktop/cpupower
View file

@ -43,15 +43,9 @@ profile cpupower @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr, include if exists <local/cpupower_kmod>
@{PROC}/cmdline r,
#@{PROC}/modules r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
} }
include if exists <local/cpupower> include if exists <local/cpupower>

10
apparmor.d/profiles-a-f/check-bios-nx
View file

@ -32,17 +32,11 @@ profile check-bios-nx @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
@{lib}/modules/*/modules.* r, @{lib}/modules/*/modules.* r,
@{PROC}/cmdline r, include if exists <local/check-bios-nx_kmod>
} }
include if exists <local/check-bios-nx> include if exists <local/check-bios-nx>

10
apparmor.d/profiles-a-f/dkms
View file

@ -97,20 +97,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/app/kmod>
@{bin}/kmod mr,
@{PROC}/cmdline r,
/etc/depmod.d/{,*} r,
@{lib}/modules/*/modules.* rw, @{lib}/modules/*/modules.* rw,
/var/lib/dkms/**/module/*.ko* r, /var/lib/dkms/**/module/*.ko* r,
owner /boot/System.map-* r, owner /boot/System.map-* r,
owner @{tmp}/tmp.* r, audit owner @{tmp}/tmp.* r,
@{sys}/module/compression r, @{sys}/module/compression r,

6
apparmor.d/profiles-g-l/hardinfo
View file

@ -184,15 +184,13 @@ profile hardinfo @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
@{sys}/module/** r, @{sys}/module/** r,
@{PROC}/cmdline r,
@{PROC}/modules r,
@{PROC}/ioports r, @{PROC}/ioports r,
include if exists <local/hardinfo_kmod>
} }
include if exists <local/hardinfo> include if exists <local/hardinfo>

11
apparmor.d/profiles-g-l/hwinfo
View file

@ -68,20 +68,13 @@ profile hwinfo @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/app/kmod>
@{bin}/kmod mr,
/etc/modprobe.d/{,*.conf} r,
owner @{tmp}/hwinfo*.txt rw, owner @{tmp}/hwinfo*.txt rw,
@{sys}/devices/@{pci}/drm/card@{int}/ r, @{sys}/devices/@{pci}/drm/card@{int}/ r,
@{PROC}/cmdline r, include if exists <local/hwinfo_kmod>
@{PROC}/modules r,
include if exists <local/hwinfo_udevadm>
} }
profile udevadm { profile udevadm {

10
apparmor.d/profiles-g-l/ifup
View file

@ -96,17 +96,11 @@ profile ifup @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
@{sys}/module/** r, @{sys}/module/** r,
@{PROC}/cmdline r, include if exists <local/ifup_kmod>
@{PROC}/modules r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
} }
profile sysctl { profile sysctl {

6
apparmor.d/profiles-g-l/inxi
View file

@ -145,11 +145,7 @@ profile inxi @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
@{PROC}/cmdline r,
@{PROC}/modules r,
include if exists <local/inxi_kmod> include if exists <local/inxi_kmod>
} }

27
apparmor.d/profiles-g-l/kernel-install
View file

@ -33,7 +33,14 @@ profile kernel-install @{exec_path} {
/etc/kernel/install.d/ r, /etc/kernel/install.d/ r,
/etc/kernel/install.d/*.install rix, /etc/kernel/install.d/*.install rix,
owner @{tmp}/sh-thd.* rw, @{lib}/os-release r,
/etc/kernel/cmdline r,
/etc/kernel/tries r,
/etc/machine-id r,
/etc/os-release r,
/var/lib/dbus/machine-id r,
@{lib}/modules/*/modules.* w,
owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/{vmlinuz,initrd.img}-* r,
owner /boot/[a-f0-9]*/*/ rw, owner /boot/[a-f0-9]*/*/ rw,
@ -42,25 +49,15 @@ profile kernel-install @{exec_path} {
owner /boot/loader/entries/ rw, owner /boot/loader/entries/ rw,
owner /boot/loader/entries/*.conf w, owner /boot/loader/entries/*.conf w,
@{lib}/modules/*/modules.* w, owner @{tmp}/sh-thd.* rw,
/etc/os-release r,
@{lib}/os-release r,
/etc/kernel/tries r,
/etc/kernel/cmdline r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
/var/lib/dbus/machine-id r, profile kmod {
/etc/machine-id r,
profile kmod flags=(complain) {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr, include if exists <local/kernel-install_kmod>
} }
include if exists <local/kernel-install> include if exists <local/kernel-install>

11
apparmor.d/profiles-g-l/kvm-ok
View file

@ -32,16 +32,9 @@ profile kvm-ok @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr, include if exists <local/kvm-ok_kmod>
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
@{PROC}/cmdline r,
} }
include if exists <local/kvm-ok> include if exists <local/kvm-ok>

11
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -159,16 +159,7 @@ profile mkinitramfs @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/app/kmod>
@{bin}/kmod mr,
@{PROC}/cmdline r,
/etc/depmod.d/ r,
/etc/depmod.d/*.conf r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r, owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw, owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,

8
apparmor.d/profiles-s-z/sensors-detect
View file

@ -48,13 +48,7 @@ profile sensors-detect @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
@{lib}/modprobe.d/{,*.conf} r,
/etc/modprobe.d/{,*.conf} r,
@{PROC}/cmdline r,
include if exists <local/sensors-detect_udevadm> include if exists <local/sensors-detect_udevadm>
} }

9
apparmor.d/profiles-s-z/spectre-meltdown-checker
View file

@ -168,20 +168,13 @@ profile spectre-meltdown-checker @{exec_path} {
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/app/kmod>
capability sys_module, capability sys_module,
owner @{sys}/module/cpuid/** r, owner @{sys}/module/cpuid/** r,
owner @{sys}/module/msr/** r, owner @{sys}/module/msr/** r,
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{PROC}/cmdline r,
include if exists <local/spectre-meltdown-checker_kmod> include if exists <local/spectre-meltdown-checker_kmod>
} }