mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-30 06:45:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat(profile): improve systemd-dissect

Browse source
This commit is contained in:
Alexandre Pujol 2024-09-24 21:49:56 +01:00
parent 24e0746efa
commit 457953876a
Failed to generate hash of commit
1 changed files with 17 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
apparmor.d/groups/systemd/systemd-dissect
View file

@ -11,16 +11,22 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/disks-read>
include <abstractions/common/systemd>
capability dac_read_search,
capability sys_admin,
capability sys_resource,
mount options=(rw, rslave) -> /,
mount options=(rw, nodev) -> /mnt/*/,
mount -> /tmp/dissect-@{rand6}/,
mount options=(rw rshared rslave) -> /,
mount options=(rw nodev) -> /mnt/*/,
mount -> /tmp/dissect-@{rand6}/,
mount options=(ro nodev) /dev/loop* -> @{run}/systemd/dissect-root/,
signal (send) set=(cont) peer=child-pager,
umount @{run}/systemd/dissect-root/,
signal send set=cont peer=child-pager,
ptrace read peer=unconfined,
@{exec_path} mr,
@ -35,14 +41,19 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
owner @{tmp}/dissect-@{rand6}/{,**} rw,
@{run}/systemd/dissect-root/ rw,
@{run}/systemd/dissect-root/** rwlk,
@{sys}/devices/virtual/block/loop@{int}/{,**} r,
@{sys}/kernel/uevent_seqnum r,
@{PROC}/@{pids}/cgroup r,
@{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/mountinfo r,
/dev/btrfs-control rw,
/dev/loop-control rwk,
/dev/loop* rwk,
/dev/loop* rwk,
/dev/mapper/control w,
include if exists <local/systemd-dissect>
}