feat(profile): improve some core profiles.
Some checks failed
Ubuntu / check (push) Has been cancelled
Ubuntu / build (default, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (default, ubuntu-24.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Has been cancelled
Ubuntu / tests (push) Has been cancelled

This commit is contained in:
Alexandre Pujol 2024-11-29 15:34:10 +00:00
parent 3cc7f82d30
commit 212b8dcf54
Failed to generate hash of commit
3 changed files with 18 additions and 27 deletions

View file

@ -27,11 +27,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system,
#aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
# No label available dbus send bus=system path=/org/freedesktop/network1{,/**}
dbus send bus=system path=/org/freedesktop/network@{int}
interface=org.freedesktop.DBus.Properties interface=org.freedesktop.DBus.Properties
member=Get member=Get
peer=(name=org.freedesktop.network@{int}), peer=(name=org.freedesktop.network1),
@{exec_path} mr, @{exec_path} mr,

View file

@ -12,19 +12,9 @@ profile cgrulesengd @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
# For creating Unix domain sockets/IPC sockets:
# socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
# ...
# bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation
# not permitted)
capability net_admin,
# To remove the following errors:
# readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied)
capability sys_ptrace,
# To be able to read the /proc/ files of all processes in the system.
capability dac_read_search, capability dac_read_search,
capability net_admin,
capability sys_ptrace,
network netlink dgram, network netlink dgram,
@ -32,22 +22,22 @@ profile cgrulesengd @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
@{sys}/fs/cgroup/**/tasks w,
/etc/cgconfig.conf r,
/etc/cgconfig.d/{,*} r,
/etc/cgrules.conf r,
/etc/cgrules.d/{,*} r,
owner @{run}/cgred.socket w,
@{sys}/fs/cgroup/** rw,
@{PROC}/ r, @{PROC}/ r,
@{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/cmdline r,
@{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pid}/mounts r,
@{PROC}/cgroups r, @{PROC}/cgroups r,
owner @{PROC}/@{pid}/mounts r,
@{sys}/fs/cgroup/unified/cgroup.controllers r,
owner @{run}/cgred.socket w,
/etc/cgconfig.conf r,
/etc/cgrules.conf r,
/etc/cgconfig.d/ r,
include if exists <local/cgrulesengd> include if exists <local/cgrulesengd>
} }

View file

@ -26,11 +26,13 @@ profile chsh @{exec_path} {
/etc/shells r, /etc/shells r,
/etc/.chsh.@{rand6} rw,
/etc/passwd rw, /etc/passwd rw,
/etc/passwd- w, /etc/passwd- w,
/etc/passwd+ rw,
/etc/passwd.@{pid} w, /etc/passwd.@{pid} w,
/etc/passwd.lock wl -> /etc/passwd.@{pid}, /etc/passwd.lock wl -> /etc/passwd.@{pid},
/etc/passwd.OLD wl -> /etc/passwd,
/etc/passwd+ rw,
/etc/shadow r, /etc/shadow r,