mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-15 16:03:51 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update spectre-meltdown-checker (#50)

Browse Source 
* Update spectre-meltdown-checker
This commit is contained in:
nobodysu 2022-07-15 20:42:15 +00:00 committed by GitHub
parent 63f1a98c37
commit 2d7ec5ad2c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
apparmor.d/profiles-s-z/spectre-meltdown-checker
View File

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} @{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh}
profile spectre-meltdown-checker @{exec_path} { profile spectre-meltdown-checker @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
# Needed to read the /dev/cpu/[0-9]*/msr device # Needed to read the /dev/cpu/[0-9]*/msr device
capability sys_rawio, capability sys_rawio,
@ -56,11 +57,14 @@ profile spectre-meltdown-checker @{exec_path} {
/{usr/,}bin/{,@{multiarch}-}strings rix, /{usr/,}bin/{,@{multiarch}-}strings rix,
/{usr/,}bin/{,@{multiarch}-}objdump rix, /{usr/,}bin/{,@{multiarch}-}objdump rix,
/{usr/,}{s,}bin/iucode_tool rix, /{usr/,}{s,}bin/iucode_tool rix,
/{usr/,}{s,}bin/rdmsr rix,
/{usr/,}bin/dmesg rix, /{usr/,}bin/dmesg rix,
/{usr/,}{s,}bin/mount rix, /{usr/,}{s,}bin/mount rix,
/{usr/,}bin/find rix, /{usr/,}bin/find rix,
/{usr/,}bin/xargs rix, /{usr/,}bin/xargs rix,
/{usr/,}bin/readlink rix, /{usr/,}bin/readlink rix,
/{usr/,}bin/nproc rix,
/{usr/,}bin/date rix,
/{usr/,}bin/pgrep rCx -> pgrep, /{usr/,}bin/pgrep rCx -> pgrep,
/{usr/,}bin/ccache rCx -> ccache, /{usr/,}bin/ccache rCx -> ccache,
@ -71,13 +75,12 @@ profile spectre-meltdown-checker @{exec_path} {
/{usr/,}bin/sqlite3 rCx -> mcedb, /{usr/,}bin/sqlite3 rCx -> mcedb,
owner /tmp/mcedb-* rw, owner /tmp/mcedb-* rw,
owner /tmp/smc-* rw, owner /tmp/smc-* rw,
owner /tmp/intelfw-*/ rw, owner /tmp/{,smc-}intelfw-*/ rw,
owner /tmp/intelfw-*/fw.zip rw, owner /tmp/{,smc-}intelfw-*/fw.zip rw,
owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw, owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw,
owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw, owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw,
owner @{HOME}/.mcedb rw, owner @{HOME}/.mcedb rw,
owner @{exec_path} w,
/tmp/ r, /tmp/ r,
owner /tmp/{config,kernel}-* rw, owner /tmp/{config,kernel}-* rw,
@ -99,8 +102,8 @@ profile spectre-meltdown-checker @{exec_path} {
@{PROC}/modules r, @{PROC}/modules r,
# find and denoise # find and denoise
@{PROC}/@{pid}/{status,exe} r, @{PROC}/@{pids}/{status,exe} r,
@{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/fd/ r,
@{PROC}/*/ r, @{PROC}/*/ r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
@ -110,7 +113,6 @@ profile spectre-meltdown-checker @{exec_path} {
/root/ r, /root/ r,
/etc/ r, /etc/ r,
profile ccache { profile ccache {
include <abstractions/base> include <abstractions/base>
@ -124,10 +126,12 @@ profile spectre-meltdown-checker @{exec_path} {
/etc/debian_version r, /etc/debian_version r,
include if exists <local/spectre-meltdown-checker_ccache>
} }
profile pgrep { profile pgrep {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
/{usr/,}bin/pgrep mr, /{usr/,}bin/pgrep mr,
@ -137,6 +141,7 @@ profile spectre-meltdown-checker @{exec_path} {
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
@{PROC}/uptime r, @{PROC}/uptime r,
include if exists <local/spectre-meltdown-checker_pgrep>
} }
profile mcedb { profile mcedb {
@ -146,22 +151,33 @@ profile spectre-meltdown-checker @{exec_path} {
include <abstractions/openssl> include <abstractions/openssl>
include <abstractions/ssl_certs> include <abstractions/ssl_certs>
deny capability net_admin,
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
/{usr/,}bin/wget mr, /{usr/,}bin/wget mr,
/{usr/,}bin/sqlite3 mr, /{usr/,}bin/sqlite3 mr,
/etc/wgetrc r, /etc/wgetrc r,
owner @{HOME}/.wget-hsts rwk, owner @{HOME}/.wget-hsts rwk,
owner @{HOME}/.mcedb rw,
/tmp/ r, /tmp/ r,
owner /tmp/mcedb-* rwk, owner /tmp/{,smc-}mcedb-* rwk,
owner /tmp/intelfw-*/fw.zip rw, owner /tmp/{,smc-}intelfw-*/fw.zip rw,
/usr/share/publicsuffix/public_suffix_list.* r, /usr/share/publicsuffix/public_suffix_list.* r,
include if exists <local/spectre-meltdown-checker_mcedb>
} }
profile kmod { profile kmod {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles>
capability sys_module, capability sys_module,
@ -175,6 +191,7 @@ profile spectre-meltdown-checker @{exec_path} {
@{PROC}/cmdline r, @{PROC}/cmdline r,
include if exists <local/spectre-meltdown-checker_kmod>
} }
include if exists <local/spectre-meltdown-checker> include if exists <local/spectre-meltdown-checker>