mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-24 14:06:47 +01:00
feat(profile): improve some core profiles.
Some checks failed
Ubuntu / check (push) Has been cancelled
Ubuntu / build (default, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (default, ubuntu-24.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Has been cancelled
Ubuntu / tests (push) Has been cancelled
Some checks failed
Ubuntu / check (push) Has been cancelled
Ubuntu / build (default, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (default, ubuntu-24.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Has been cancelled
Ubuntu / tests (push) Has been cancelled
This commit is contained in:
parent
3cc7f82d30
commit
212b8dcf54
3 changed files with 18 additions and 27 deletions
|
@ -27,11 +27,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
|
|||
unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system,
|
||||
|
||||
#aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
|
||||
# No label available
|
||||
dbus send bus=system path=/org/freedesktop/network@{int}
|
||||
dbus send bus=system path=/org/freedesktop/network1{,/**}
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=Get
|
||||
peer=(name=org.freedesktop.network@{int}),
|
||||
peer=(name=org.freedesktop.network1),
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
|
@ -12,19 +12,9 @@ profile cgrulesengd @{exec_path} {
|
|||
include <abstractions/base>
|
||||
include <abstractions/nameservice-strict>
|
||||
|
||||
# For creating Unix domain sockets/IPC sockets:
|
||||
# socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
|
||||
# ...
|
||||
# bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation
|
||||
# not permitted)
|
||||
capability net_admin,
|
||||
|
||||
# To remove the following errors:
|
||||
# readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied)
|
||||
capability sys_ptrace,
|
||||
|
||||
# To be able to read the /proc/ files of all processes in the system.
|
||||
capability dac_read_search,
|
||||
capability net_admin,
|
||||
capability sys_ptrace,
|
||||
|
||||
network netlink dgram,
|
||||
|
||||
|
@ -32,22 +22,22 @@ profile cgrulesengd @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{sys}/fs/cgroup/**/tasks w,
|
||||
|
||||
/etc/cgconfig.conf r,
|
||||
/etc/cgconfig.d/{,*} r,
|
||||
|
||||
/etc/cgrules.conf r,
|
||||
/etc/cgrules.d/{,*} r,
|
||||
|
||||
owner @{run}/cgred.socket w,
|
||||
|
||||
@{sys}/fs/cgroup/** rw,
|
||||
|
||||
@{PROC}/ r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
@{PROC}/@{pids}/task/ r,
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/cgroups r,
|
||||
|
||||
@{sys}/fs/cgroup/unified/cgroup.controllers r,
|
||||
|
||||
owner @{run}/cgred.socket w,
|
||||
|
||||
/etc/cgconfig.conf r,
|
||||
/etc/cgrules.conf r,
|
||||
/etc/cgconfig.d/ r,
|
||||
|
||||
owner @{PROC}/@{pid}/mounts r,
|
||||
|
||||
include if exists <local/cgrulesengd>
|
||||
}
|
||||
|
|
|
@ -26,11 +26,13 @@ profile chsh @{exec_path} {
|
|||
|
||||
/etc/shells r,
|
||||
|
||||
/etc/.chsh.@{rand6} rw,
|
||||
/etc/passwd rw,
|
||||
/etc/passwd- w,
|
||||
/etc/passwd+ rw,
|
||||
/etc/passwd.@{pid} w,
|
||||
/etc/passwd.lock wl -> /etc/passwd.@{pid},
|
||||
/etc/passwd.OLD wl -> /etc/passwd,
|
||||
/etc/passwd+ rw,
|
||||
|
||||
/etc/shadow r,
|
||||
|
||||
|
|
Loading…
Reference in a new issue