mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-30 23:05:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profiles): apply rule from #51.

Browse source
This commit is contained in:
Alexandre Pujol 2022-06-14 22:54:26 +01:00
parent d93879d9df
commit 393e339b48
Failed to generate hash of commit
7 changed files with 17 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apparmor.d/groups/systemd/systemd-journald
View file

@ -47,14 +47,16 @@ profile systemd-journald @{exec_path} {
@{run}/udev/data/+pci:* r, @{run}/udev/data/+pci:* r,
@{run}/udev/data/+platform* r, @{run}/udev/data/+platform* r,
@{run}/udev/data/+scsi:* r, @{run}/udev/data/+scsi:* r,
@{run}/udev/data/+sdio:* r,
@{run}/udev/data/+usb-serial:* r, @{run}/udev/data/+usb-serial:* r,
@{run}/udev/data/+usb:* r, @{run}/udev/data/+usb:* r,
@{run}/udev/data/+virtio:* r, @{run}/udev/data/+virtio:* r,
@{run}/udev/data/+sdio:* r, @{run}/udev/data/c1:[0-9]* r,
@{run}/udev/data/c10:224 r, # for /dev/tpm0 @{run}/udev/data/c10:224 r, # for /dev/tpm0
@{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/** @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
@{run}/udev/data/c23[0-9]:[0-9]* r, @{run}/udev/data/c23[0-9]:[0-9]* r,
@{run}/udev/data/c24[0-9]:[0-9]* r, @{run}/udev/data/c24[0-9]:[0-9]* r,
@{run}/udev/data/c4:[0-9]* r,
@{sys}/devices/**/uevent r, @{sys}/devices/**/uevent r,
@{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

2
apparmor.d/groups/systemd/systemd-makefs
View file

@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-makefs @{exec_path} = /{usr/,}lib/systemd/systemd-makefs
profile systemd-makefs @{exec_path} { profile systemd-makefs @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-read> include <abstractions/disks-write>
include <abstractions/systemd-common> include <abstractions/systemd-common>
capability net_admin, capability net_admin,

4
apparmor.d/profiles-m-r/mount-zfs
View file

@ -31,5 +31,9 @@ profile mount-zfs @{exec_path} flags=(complain) {
umount /, umount /,
umount /*/, umount /*/,
@{PROC}/@{pids}/mounts r,
/dev/zfs rw,
include if exists <local/mount-zfs> include if exists <local/mount-zfs>
} }

1
apparmor.d/profiles-m-r/run-parts
View file

@ -79,6 +79,7 @@ profile run-parts @{exec_path} {
/etc/network/if-up.d/ethtool rPUx, /etc/network/if-up.d/ethtool rPUx,
/etc/network/if-up.d/ifenslave rPUx, /etc/network/if-up.d/ifenslave rPUx,
/etc/network/if-up.d/openvpn rPUx, /etc/network/if-up.d/openvpn rPUx,
/etc/network/if-up.d/postfix rPUx,
/etc/network/if-up.d/wpasupplicant rPUx, /etc/network/if-up.d/wpasupplicant rPUx,
# Motd # Motd

7
apparmor.d/profiles-s-z/sudo
View file

@ -13,6 +13,7 @@ profile sudo @{exec_path} {
include <abstractions/app-launcher-root> include <abstractions/app-launcher-root>
include <abstractions/authentication> include <abstractions/authentication>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/dbus-strict>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/wutmp> include <abstractions/wutmp>
# include <pam/mappings> # include <pam/mappings>
@ -32,9 +33,13 @@ profile sudo @{exec_path} {
ptrace (read), ptrace (read),
# signal,
signal (send) set=(cont,hup) peer=su, signal (send) set=(cont,hup) peer=su,
dbus send bus=system path=/org/freedesktop/login[0-9]
interface=org.freedesktop.login[0-9].Manager
member=CreateSession
peer=(name=org.freedesktop.login[0-9]),
@{exec_path} mr, @{exec_path} mr,
/run/ r, /run/ r,

1
apparmor.d/profiles-s-z/switcheroo-control
View file

@ -29,6 +29,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
@{exec_path} mr, @{exec_path} mr,
@{run}/udev/data/+drm:* r, @{run}/udev/data/+drm:* r,
@{run}/udev/data/+pci:* r,
@{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card* @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*

1
apparmor.d/profiles-s-z/udisksd
View file

@ -14,6 +14,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
include <abstractions/dbus-strict> include <abstractions/dbus-strict>
include <abstractions/disks-write> include <abstractions/disks-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl>
capability chown, capability chown,
capability dac_override, capability dac_override,