mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-03 08:45:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): improve some systemd profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-11-10 19:02:07 +00:00
parent 7b9d412f02
commit 3c0b83d1b0
Failed to generate hash of commit
6 changed files with 19 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
apparmor.d/groups/systemd/systemd-cat
View file

@ -9,14 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-cat @{exec_path} = @{bin}/systemd-cat
profile systemd-cat @{exec_path} { profile systemd-cat @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/app-launcher-root>
include <abstractions/consoles>
capability net_admin, capability net_admin,
@{exec_path} mr, @{exec_path} mr,
@{bin}/cat rix,
@{bin}/echo rix,
include if exists <local/systemd-cat> include if exists <local/systemd-cat>
} }

6
apparmor.d/groups/systemd/systemd-cgls
View file

@ -10,7 +10,11 @@ include <tunables/global>
profile systemd-cgls @{exec_path} { profile systemd-cgls @{exec_path} {
include <abstractions/base> include <abstractions/base>
ptrace (read), capability sys_ptrace,
ptrace read,
signal send set=cont peer=child-pager,
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/groups/systemd/systemd-escape
View file

@ -10,7 +10,6 @@ include <tunables/global>
profile systemd-escape @{exec_path} { profile systemd-escape @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/common/systemd>
@{exec_path} mr, @{exec_path} mr,

6
apparmor.d/groups/systemd/systemd-sysusers
View file

@ -16,8 +16,12 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
capability fsetid, capability fsetid,
capability net_admin, capability net_admin,
signal send set=cont peer=child-pager,
@{exec_path} mr, @{exec_path} mr,
@{pager_path} rPx -> child-pager,
# Config file locations # Config file locations
/etc/sysusers.d/{,*.conf} r, /etc/sysusers.d/{,*.conf} r,
@{run}/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r,
@ -40,6 +44,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
/etc/.#{group,gshadow}@{hex} rw, /etc/.#{group,gshadow}@{hex} rw,
/etc/.pwd.lock rwk, /etc/.pwd.lock rwk,
owner @{PROC}/@{pid}/cgroup r,
/dev/tty@{int} rw, /dev/tty@{int} rw,
owner /dev/pts/@{int} rw, owner /dev/pts/@{int} rw,

2
apparmor.d/groups/systemd/systemd-userdbd
View file

@ -25,7 +25,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)
@{lib}/systemd/systemd-userwork rix, @{lib}/systemd/systemd-userwork rix,
/etc/gshadow r,
/etc/shadow r, /etc/shadow r,
/etc/machine-id r, /etc/machine-id r,
@{run}/systemd/userdb/{,**} rw, @{run}/systemd/userdb/{,**} rw,

5
apparmor.d/groups/systemd/userdbctl
View file

@ -21,11 +21,14 @@ profile userdbctl @{exec_path} {
@{pager_path} rPx -> child-pager, @{pager_path} rPx -> child-pager,
/etc/shadow r,
/etc/gshadow r, /etc/gshadow r,
/etc/shadow r,
/etc/machine-id r,
@{PROC}/1/cgroup r, @{PROC}/1/cgroup r,
owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/gid_map r,
owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pid}/uid_map r,
include if exists <local/userdbctl> include if exists <local/userdbctl>