feat: improve dbus integration for chsh, better handling of generic needrestart.

This commit is contained in:
Alexandre Pujol 2024-12-11 23:17:27 +01:00 committed by Alex
parent 3690a4c327
commit 14e9fea29a
5 changed files with 12 additions and 3 deletions

2
.github/local/needrestart vendored Normal file
View file

@ -0,0 +1,2 @@
/var/lib/waagent/** r,

View file

@ -94,6 +94,7 @@ jobs:
sudo apt-get install -y \
apparmor-profiles apparmor-utils \
bats bats-support
sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart
- name: Install apparmor.d
run: |

View file

@ -10,18 +10,24 @@ include <tunables/global>
@{exec_path} = @{bin}/chsh
profile chsh @{exec_path} {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/authentication>
include <abstractions/bus-system>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/wutmp>
capability audit_write,
capability chown,
capability fsetid,
capability net_admin,
capability setuid,
network netlink raw,
unix type=stream addr=@@{udbus}/bus/chsh/system,
#aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
@{exec_path} mr,
/etc/shells r,

View file

@ -26,6 +26,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
@{exec_path} mrix,
@{bin}/* r,
@{sh_path} rix,
@{bin}/dpkg-query rpx,
@{bin}/fail2ban-server rPx,
@ -42,8 +43,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
@{lib}/needrestart/* rPx,
/usr/share/debconf/frontend rix,
@{bin}/networkd-dispatcher r,
@{bin}/gettext.sh r,
/usr/share/needrestart/{,**} r,
/usr/share/unattended-upgrades/unattended-upgrade-shutdown r,

View file

@ -93,6 +93,7 @@ profile snapd @{exec_path} {
@{lib_dirs}/snapd/snap-update-ns rPx,
/usr/share/bash-completion/{,**} r,
/usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw,
/usr/share/dbus-1/{system,session}.d/{,snapd*} r,
/usr/share/dbus-1/services/*snap* r,
/usr/share/polkit-1/actions/{,**/} r,