feat(profile): improve integration with Tumbleweed.
Some checks are pending
Ubuntu / build (default, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (default, ubuntu-24.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-22.04) (push) Waiting to run
Ubuntu / build (full-system-policy, ubuntu-24.04) (push) Waiting to run
Ubuntu / tests (push) Blocked by required conditions

see #576
This commit is contained in:
Alexandre Pujol 2024-10-23 11:39:49 +01:00
parent d9208e0648
commit 25049292eb
Failed to generate hash of commit
11 changed files with 21 additions and 7 deletions

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/fc-list @{exec_path} = @{bin}/fc-list
profile fc-list @{exec_path} { profile fc-list @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/fonts> include <abstractions/fonts>
include <abstractions/fontconfig-cache-read> include <abstractions/fontconfig-cache-read>

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gpg-agent @{exec_path} = @{bin}/gpg-agent
profile gpg-agent @{exec_path} { profile gpg-agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) peer=pinentry-*, signal (receive) peer=pinentry-*,

View file

@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gpgsm @{exec_path} = @{bin}/gpgsm
profile gpgsm @{exec_path} { profile gpgsm @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
capability dac_read_search, capability dac_read_search,

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-escape @{exec_path} = @{bin}/systemd-escape
profile systemd-escape @{exec_path} { profile systemd-escape @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/common/systemd> include <abstractions/common/systemd>
@{exec_path} mr, @{exec_path} mr,

View file

@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
@{exec_path} mr, @{exec_path} mr,
@{lib}/udev/#@{int} rwl, @{lib}/udev/#@{int} rwl,
@{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int}, @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int},
@{lib}/udev/hwdb.bin w, @{lib}/udev/hwdb.bin w,
/etc/udev/.#hwdb.bind* rw, /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int},
/etc/udev/hwdb.bin rw, /etc/udev/hwdb.bin w,
/etc/udev/hwdb.d/{,*} r, /etc/udev/hwdb.d/{,*} r,
owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/stat r,

View file

@ -64,6 +64,7 @@ profile systemd-journald @{exec_path} {
@{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/b259:@{int} r, # Block Extended Major
@{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c1:@{int} r, # For RAM disk
@{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c4:@{int} r, # For TTY devices
@{run}/udev/data/b8:@{int} r, # for /dev/sd*
@{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features
@{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c108:@{int} r, # For /dev/ppp
@{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c18[8-9]:@{int} r, # USB devices & USB serial converters

View file

@ -19,9 +19,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
# Config file locations # Config file locations
/etc/sysusers.d/*.conf r, /etc/sysusers.d/{,*.conf} r,
@{run}/sysusers.d/*.conf r, @{run}/sysusers.d/{,*.conf} r,
/usr/lib/sysusers.d/*.conf r, /usr/lib/sysusers.d/{,*.conf} r,
# Where the users can be created, # Where the users can be created,
/home/{,*} rw, /home/{,*} rw,

View file

@ -40,6 +40,10 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
@{PROC}/partitions r, @{PROC}/partitions r,
@{PROC}/swaps r, @{PROC}/swaps r,
# Other possible location of the cache file
/dev/.blkid.tab{,-@{rand6}} rw,
/dev/blkid.tab.old rwl -> /dev/blkid.tab,
owner /dev/tty@{int} rw, owner /dev/tty@{int} rw,
include if exists <local/blkid> include if exists <local/blkid>

View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/issue-generator @{exec_path} = @{bin}/issue-generator
profile issue-generator @{exec_path} { profile issue-generator @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,

View file

@ -8,7 +8,7 @@ abi <abi/4.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/lsblk @{exec_path} = @{bin}/lsblk
profile lsblk @{exec_path} { profile lsblk @{exec_path} flags=(attach_disconnected) {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/disks-read> include <abstractions/disks-read>

View file

@ -13,6 +13,10 @@ profile sync @{exec_path} {
@{exec_path} mr, @{exec_path} mr,
# Common paths where sync is used to flush all write operations on a single file to disk
# TODO: /** rw, ?
/boot/initrd-*-default rw,
include if exists <local/sync> include if exists <local/sync>
} }