mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 06:27:49 +01:00
feat(profile): improve some core profiles.
Some checks failed
Ubuntu / check (push) Has been cancelled
Ubuntu / build (default, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (default, ubuntu-24.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Has been cancelled
Ubuntu / tests (push) Has been cancelled
Some checks failed
Ubuntu / check (push) Has been cancelled
Ubuntu / build (default, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (default, ubuntu-24.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Has been cancelled
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Has been cancelled
Ubuntu / tests (push) Has been cancelled
This commit is contained in:
parent
3cc7f82d30
commit
212b8dcf54
3 changed files with 18 additions and 27 deletions
|
@ -27,11 +27,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
|
||||||
unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system,
|
unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system,
|
||||||
|
|
||||||
#aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
|
#aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
|
||||||
# No label available
|
dbus send bus=system path=/org/freedesktop/network1{,/**}
|
||||||
dbus send bus=system path=/org/freedesktop/network@{int}
|
|
||||||
interface=org.freedesktop.DBus.Properties
|
interface=org.freedesktop.DBus.Properties
|
||||||
member=Get
|
member=Get
|
||||||
peer=(name=org.freedesktop.network@{int}),
|
peer=(name=org.freedesktop.network1),
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
|
|
@ -12,19 +12,9 @@ profile cgrulesengd @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
# For creating Unix domain sockets/IPC sockets:
|
|
||||||
# socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
|
|
||||||
# ...
|
|
||||||
# bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation
|
|
||||||
# not permitted)
|
|
||||||
capability net_admin,
|
|
||||||
|
|
||||||
# To remove the following errors:
|
|
||||||
# readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied)
|
|
||||||
capability sys_ptrace,
|
|
||||||
|
|
||||||
# To be able to read the /proc/ files of all processes in the system.
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
capability net_admin,
|
||||||
|
capability sys_ptrace,
|
||||||
|
|
||||||
network netlink dgram,
|
network netlink dgram,
|
||||||
|
|
||||||
|
@ -32,22 +22,22 @@ profile cgrulesengd @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{sys}/fs/cgroup/**/tasks w,
|
|
||||||
|
/etc/cgconfig.conf r,
|
||||||
|
/etc/cgconfig.d/{,*} r,
|
||||||
|
|
||||||
|
/etc/cgrules.conf r,
|
||||||
|
/etc/cgrules.d/{,*} r,
|
||||||
|
|
||||||
|
owner @{run}/cgred.socket w,
|
||||||
|
|
||||||
|
@{sys}/fs/cgroup/** rw,
|
||||||
|
|
||||||
@{PROC}/ r,
|
@{PROC}/ r,
|
||||||
@{PROC}/@{pids}/cmdline r,
|
@{PROC}/@{pids}/cmdline r,
|
||||||
@{PROC}/@{pids}/task/ r,
|
@{PROC}/@{pids}/task/ r,
|
||||||
owner @{PROC}/@{pid}/mounts r,
|
|
||||||
@{PROC}/cgroups r,
|
@{PROC}/cgroups r,
|
||||||
|
owner @{PROC}/@{pid}/mounts r,
|
||||||
@{sys}/fs/cgroup/unified/cgroup.controllers r,
|
|
||||||
|
|
||||||
owner @{run}/cgred.socket w,
|
|
||||||
|
|
||||||
/etc/cgconfig.conf r,
|
|
||||||
/etc/cgrules.conf r,
|
|
||||||
/etc/cgconfig.d/ r,
|
|
||||||
|
|
||||||
|
|
||||||
include if exists <local/cgrulesengd>
|
include if exists <local/cgrulesengd>
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,11 +26,13 @@ profile chsh @{exec_path} {
|
||||||
|
|
||||||
/etc/shells r,
|
/etc/shells r,
|
||||||
|
|
||||||
|
/etc/.chsh.@{rand6} rw,
|
||||||
/etc/passwd rw,
|
/etc/passwd rw,
|
||||||
/etc/passwd- w,
|
/etc/passwd- w,
|
||||||
/etc/passwd+ rw,
|
|
||||||
/etc/passwd.@{pid} w,
|
/etc/passwd.@{pid} w,
|
||||||
/etc/passwd.lock wl -> /etc/passwd.@{pid},
|
/etc/passwd.lock wl -> /etc/passwd.@{pid},
|
||||||
|
/etc/passwd.OLD wl -> /etc/passwd,
|
||||||
|
/etc/passwd+ rw,
|
||||||
|
|
||||||
/etc/shadow r,
|
/etc/shadow r,
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue