mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 00:48:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(abs): add the app/kmod abstraction.

Browse source
This commit is contained in:
Alexandre Pujol 2024-06-16 21:50:48 +01:00
parent cb4f3af58e
commit 13b35b156e
Failed to generate hash of commit
14 changed files with 53 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
apparmor.d/abstractions/app/kmod Normal file
View file

@ -0,0 +1,22 @@
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
include <abstractions/consoles>
@{bin}/kmod mr,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
/etc/depmod.d/ r,
/etc/depmod.d/*.conf r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{PROC}/cmdline r,
@{PROC}/modules r,
include if exists <abstractions/app/kmod.d>
# vim:syntax=apparmor

7
apparmor.d/groups/children/child-modprobe-nvidia
View file

@ -57,14 +57,11 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/app/kmod>
capability mknod,
# capability sys_module,
@{bin}/kmod mr,
/etc/modprobe.d/{,*.conf} r,
/etc/nvidia/{current,legacy*,tesla*}/*.conf r,
# @{sys}/module/ipmi_devintf/initstate r,
@ -72,8 +69,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
# @{sys}/module/{drm,nvidia}/initstate r,
@{sys}/module/compression r,
@{PROC}/cmdline r,
include if exists <local/child-modprobe-nvidia_kmod>
}

10
apparmor.d/groups/freedesktop/cpupower
View file

@ -43,15 +43,9 @@ profile cpupower @{exec_path} {
profile kmod {
include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
@{PROC}/cmdline r,
#@{PROC}/modules r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
include if exists <local/cpupower_kmod>
}
include if exists <local/cpupower>

10
apparmor.d/profiles-a-f/check-bios-nx
View file

@ -32,17 +32,11 @@ profile check-bios-nx @{exec_path} {
profile kmod {
include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
@{lib}/modules/*/modules.* r,
@{PROC}/cmdline r,
include if exists <local/check-bios-nx_kmod>
}
include if exists <local/check-bios-nx>

10
apparmor.d/profiles-a-f/dkms
View file

@ -97,20 +97,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/kmod mr,
@{PROC}/cmdline r,
/etc/depmod.d/{,*} r,
include <abstractions/app/kmod>
@{lib}/modules/*/modules.* rw,
/var/lib/dkms/**/module/*.ko* r,
owner /boot/System.map-* r,
owner @{tmp}/tmp.* r,
audit owner @{tmp}/tmp.* r,
@{sys}/module/compression r,

6
apparmor.d/profiles-g-l/hardinfo
View file

@ -184,15 +184,13 @@ profile hardinfo @{exec_path} {
profile kmod {
include <abstractions/base>
@{bin}/kmod mr,
include <abstractions/app/kmod>
@{sys}/module/** r,
@{PROC}/cmdline r,
@{PROC}/modules r,
@{PROC}/ioports r,
include if exists <local/hardinfo_kmod>
}
include if exists <local/hardinfo>

11
apparmor.d/profiles-g-l/hwinfo
View file

@ -68,20 +68,13 @@ profile hwinfo @{exec_path} {
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/kmod mr,
/etc/modprobe.d/{,*.conf} r,
include <abstractions/app/kmod>
owner @{tmp}/hwinfo*.txt rw,
@{sys}/devices/@{pci}/drm/card@{int}/ r,
@{PROC}/cmdline r,
@{PROC}/modules r,
include if exists <local/hwinfo_udevadm>
include if exists <local/hwinfo_kmod>
}
profile udevadm {

10
apparmor.d/profiles-g-l/ifup
View file

@ -96,17 +96,11 @@ profile ifup @{exec_path} {
profile kmod {
include <abstractions/base>
@{bin}/kmod mr,
include <abstractions/app/kmod>
@{sys}/module/** r,
@{PROC}/cmdline r,
@{PROC}/modules r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
include if exists <local/ifup_kmod>
}
profile sysctl {

6
apparmor.d/profiles-g-l/inxi
View file

@ -145,11 +145,7 @@ profile inxi @{exec_path} {
profile kmod {
include <abstractions/base>
@{bin}/kmod mr,
@{PROC}/cmdline r,
@{PROC}/modules r,
include <abstractions/app/kmod>
include if exists <local/inxi_kmod>
}

27
apparmor.d/profiles-g-l/kernel-install
View file

@ -33,7 +33,14 @@ profile kernel-install @{exec_path} {
/etc/kernel/install.d/ r,
/etc/kernel/install.d/*.install rix,
owner @{tmp}/sh-thd.* rw,
@{lib}/os-release r,
/etc/kernel/cmdline r,
/etc/kernel/tries r,
/etc/machine-id r,
/etc/os-release r,
/var/lib/dbus/machine-id r,
@{lib}/modules/*/modules.* w,
owner /boot/{vmlinuz,initrd.img}-* r,
owner /boot/[a-f0-9]*/*/ rw,
@ -42,25 +49,15 @@ profile kernel-install @{exec_path} {
owner /boot/loader/entries/ rw,
owner /boot/loader/entries/*.conf w,
@{lib}/modules/*/modules.* w,
owner @{tmp}/sh-thd.* rw,
/etc/os-release r,
@{lib}/os-release r,
/etc/kernel/tries r,
/etc/kernel/cmdline r,
@{PROC}/cmdline r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
profile kmod flags=(complain) {
profile kmod {
include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
include if exists <local/kernel-install_kmod>
}
include if exists <local/kernel-install>

11
apparmor.d/profiles-g-l/kvm-ok
View file

@ -32,16 +32,9 @@ profile kvm-ok @{exec_path} {
profile kmod {
include <abstractions/base>
include <abstractions/app/kmod>
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{lib}/modprobe.d/ r,
@{lib}/modprobe.d/*.conf r,
@{PROC}/cmdline r,
include if exists <local/kvm-ok_kmod>
}
include if exists <local/kvm-ok>

11
apparmor.d/profiles-m-r/mkinitramfs
View file

@ -159,16 +159,7 @@ profile mkinitramfs @{exec_path} {
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
@{bin}/kmod mr,
@{PROC}/cmdline r,
/etc/depmod.d/ r,
/etc/depmod.d/*.conf r,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
include <abstractions/app/kmod>
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,

8
apparmor.d/profiles-s-z/sensors-detect
View file

@ -48,13 +48,7 @@ profile sensors-detect @{exec_path} {
profile kmod {
include <abstractions/base>
@{bin}/kmod mr,
@{lib}/modprobe.d/{,*.conf} r,
/etc/modprobe.d/{,*.conf} r,
@{PROC}/cmdline r,
include <abstractions/app/kmod>
include if exists <local/sensors-detect_udevadm>
}

9
apparmor.d/profiles-s-z/spectre-meltdown-checker
View file

@ -168,20 +168,13 @@ profile spectre-meltdown-checker @{exec_path} {
profile kmod {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/app/kmod>
capability sys_module,
owner @{sys}/module/cpuid/** r,
owner @{sys}/module/msr/** r,
@{bin}/kmod mr,
/etc/modprobe.d/ r,
/etc/modprobe.d/*.conf r,
@{PROC}/cmdline r,
include if exists <local/spectre-meltdown-checker_kmod>
}