mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-12-25 14:36:33 +01:00
feat(profile): improve integration with Tumbleweed.
Some checks are pending
Ubuntu / build (default, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (default, ubuntu-24.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Waiting to run
Ubuntu / tests (push) Blocked by required conditions
Some checks are pending
Ubuntu / build (default, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (default, ubuntu-24.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Waiting to run
Ubuntu / tests (push) Blocked by required conditions
see #576
This commit is contained in:
parent
d9208e0648
commit
25049292eb
11 changed files with 21 additions and 7 deletions
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/fc-list
|
@{exec_path} = @{bin}/fc-list
|
||||||
profile fc-list @{exec_path} {
|
profile fc-list @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
include <abstractions/fonts>
|
include <abstractions/fonts>
|
||||||
include <abstractions/fontconfig-cache-read>
|
include <abstractions/fontconfig-cache-read>
|
||||||
|
|
||||||
|
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/gpg-agent
|
@{exec_path} = @{bin}/gpg-agent
|
||||||
profile gpg-agent @{exec_path} {
|
profile gpg-agent @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
signal (receive) peer=pinentry-*,
|
signal (receive) peer=pinentry-*,
|
||||||
|
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/gpgsm
|
@{exec_path} = @{bin}/gpgsm
|
||||||
profile gpgsm @{exec_path} {
|
profile gpgsm @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
capability dac_read_search,
|
capability dac_read_search,
|
||||||
|
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/systemd-escape
|
@{exec_path} = @{bin}/systemd-escape
|
||||||
profile systemd-escape @{exec_path} {
|
profile systemd-escape @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
include <abstractions/common/systemd>
|
include <abstractions/common/systemd>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
|
@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
@{lib}/udev/#@{int} rwl,
|
@{lib}/udev/#@{int} rwl,
|
||||||
@{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int},
|
@{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int},
|
||||||
@{lib}/udev/hwdb.bin w,
|
@{lib}/udev/hwdb.bin w,
|
||||||
|
|
||||||
/etc/udev/.#hwdb.bind* rw,
|
/etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int},
|
||||||
/etc/udev/hwdb.bin rw,
|
/etc/udev/hwdb.bin w,
|
||||||
/etc/udev/hwdb.d/{,*} r,
|
/etc/udev/hwdb.d/{,*} r,
|
||||||
|
|
||||||
owner @{PROC}/@{pid}/stat r,
|
owner @{PROC}/@{pid}/stat r,
|
||||||
|
|
|
@ -64,6 +64,7 @@ profile systemd-journald @{exec_path} {
|
||||||
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
@{run}/udev/data/b259:@{int} r, # Block Extended Major
|
||||||
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
@{run}/udev/data/c1:@{int} r, # For RAM disk
|
||||||
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
@{run}/udev/data/c4:@{int} r, # For TTY devices
|
||||||
|
@{run}/udev/data/b8:@{int} r, # for /dev/sd*
|
||||||
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
|
||||||
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
|
@{run}/udev/data/c108:@{int} r, # For /dev/ppp
|
||||||
@{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters
|
@{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters
|
||||||
|
|
|
@ -19,9 +19,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
# Config file locations
|
# Config file locations
|
||||||
/etc/sysusers.d/*.conf r,
|
/etc/sysusers.d/{,*.conf} r,
|
||||||
@{run}/sysusers.d/*.conf r,
|
@{run}/sysusers.d/{,*.conf} r,
|
||||||
/usr/lib/sysusers.d/*.conf r,
|
/usr/lib/sysusers.d/{,*.conf} r,
|
||||||
|
|
||||||
# Where the users can be created,
|
# Where the users can be created,
|
||||||
/home/{,*} rw,
|
/home/{,*} rw,
|
||||||
|
|
|
@ -40,6 +40,10 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
|
||||||
@{PROC}/partitions r,
|
@{PROC}/partitions r,
|
||||||
@{PROC}/swaps r,
|
@{PROC}/swaps r,
|
||||||
|
|
||||||
|
# Other possible location of the cache file
|
||||||
|
/dev/.blkid.tab{,-@{rand6}} rw,
|
||||||
|
/dev/blkid.tab.old rwl -> /dev/blkid.tab,
|
||||||
|
|
||||||
owner /dev/tty@{int} rw,
|
owner /dev/tty@{int} rw,
|
||||||
|
|
||||||
include if exists <local/blkid>
|
include if exists <local/blkid>
|
||||||
|
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
||||||
@{exec_path} = @{bin}/issue-generator
|
@{exec_path} = @{bin}/issue-generator
|
||||||
profile issue-generator @{exec_path} {
|
profile issue-generator @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
|
include <abstractions/consoles>
|
||||||
include <abstractions/nameservice-strict>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
|
@ -8,7 +8,7 @@ abi <abi/4.0>,
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
@{exec_path} = @{bin}/lsblk
|
@{exec_path} = @{bin}/lsblk
|
||||||
profile lsblk @{exec_path} {
|
profile lsblk @{exec_path} flags=(attach_disconnected) {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/consoles>
|
include <abstractions/consoles>
|
||||||
include <abstractions/disks-read>
|
include <abstractions/disks-read>
|
||||||
|
|
|
@ -13,6 +13,10 @@ profile sync @{exec_path} {
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
|
||||||
|
# Common paths where sync is used to flush all write operations on a single file to disk
|
||||||
|
# TODO: /** rw, ?
|
||||||
|
/boot/initrd-*-default rw,
|
||||||
|
|
||||||
include if exists <local/sync>
|
include if exists <local/sync>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue