mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-24 14:06:47 +01:00
feat: improve dbus integration for chsh, better handling of generic needrestart.
This commit is contained in:
parent
3690a4c327
commit
14e9fea29a
5 changed files with 12 additions and 3 deletions
2
.github/local/needrestart
vendored
Normal file
2
.github/local/needrestart
vendored
Normal file
|
@ -0,0 +1,2 @@
|
|||
|
||||
/var/lib/waagent/** r,
|
1
.github/workflows/main.yml
vendored
1
.github/workflows/main.yml
vendored
|
@ -94,6 +94,7 @@ jobs:
|
|||
sudo apt-get install -y \
|
||||
apparmor-profiles apparmor-utils \
|
||||
bats bats-support
|
||||
sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart
|
||||
|
||||
- name: Install apparmor.d
|
||||
run: |
|
||||
|
|
|
@ -10,18 +10,24 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/chsh
|
||||
profile chsh @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/authentication>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/consoles>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/wutmp>
|
||||
|
||||
capability audit_write,
|
||||
capability chown,
|
||||
capability fsetid,
|
||||
capability net_admin,
|
||||
capability setuid,
|
||||
|
||||
network netlink raw,
|
||||
|
||||
unix type=stream addr=@@{udbus}/bus/chsh/system,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
/etc/shells r,
|
||||
|
|
|
@ -26,6 +26,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/* r,
|
||||
@{sh_path} rix,
|
||||
@{bin}/dpkg-query rpx,
|
||||
@{bin}/fail2ban-server rPx,
|
||||
|
@ -42,8 +43,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
|
|||
@{lib}/needrestart/* rPx,
|
||||
/usr/share/debconf/frontend rix,
|
||||
|
||||
@{bin}/networkd-dispatcher r,
|
||||
@{bin}/gettext.sh r,
|
||||
/usr/share/needrestart/{,**} r,
|
||||
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
|
||||
|
||||
|
|
|
@ -93,6 +93,7 @@ profile snapd @{exec_path} {
|
|||
@{lib_dirs}/snapd/snap-update-ns rPx,
|
||||
|
||||
/usr/share/bash-completion/{,**} r,
|
||||
/usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw,
|
||||
/usr/share/dbus-1/{system,session}.d/{,snapd*} r,
|
||||
/usr/share/dbus-1/services/*snap* r,
|
||||
/usr/share/polkit-1/actions/{,**/} r,
|
||||
|
|
Loading…
Reference in a new issue