diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index dfb18ca5..3b37a15f 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}bin/acpid +@{exec_path} = /{usr/,}{s,}bin/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include @@ -17,20 +17,63 @@ profile acpid @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /{usr/,}bin/{,ba,da}sh rix, + /{usr/,}bin/{ba,da,}sh rix, /{usr/,}bin/logger rix, + /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh, + /etc/acpi/{,**} r, /etc/acpi/handler.sh rix, + owner @{run}/acpid.socket rw, + owner @{run}/acpid.pid rw, + + owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/loginuid r, + /dev/input/{,**} r, /dev/tty rw, - /dev/null r, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/loginuid r, - - @{run}/acpid.socket rw, include if exists } + +profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) { + include + + /etc/acpi/powerbtn-acpi-support.sh r, + + /{usr/,}bin/sed rix, + /{usr/,}bin/pgrep rix, + /{usr/,}bin/{e,}grep rix, + /{usr/,}bin/pinky rix, + /{usr/,}bin/{ba,da,}sh rix, + /{usr/,}bin/dbus-send rix, + /{usr/,}{s,}bin/killall5 rix, + /{usr/,}{s,}bin/shutdown rix, + /etc/acpi/powerbtn.sh rix, + + /{usr/,}bin/systemctl rPx -> child-systemctl, + /{usr/,}bin/ps rPx, + + /{usr/,}bin/fgconsole rCx, + profile fgconsole /usr/bin/fgconsole { + include + + capability sys_tty_config, + + /{usr/,}bin/fgconsole r, + + /dev/tty rw, + owner /dev/tty[0-9]* rw, + } + + /usr/share/acpi-support/** r, + + deny / r, + + @{PROC} r, + @{PROC}/uptime r, + @{PROC}/@{pids}/cmdline r, + + include if exists +}