diff --git a/apparmor.d/groups/utils/blockdev b/apparmor.d/groups/utils/blockdev index 88059a4c..96e3ad23 100644 --- a/apparmor.d/groups/utils/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/blockdev profile blockdev @{exec_path} { include - include + include capability sys_admin, diff --git a/apparmor.d/groups/utils/losetup b/apparmor.d/groups/utils/losetup index fd2472dc..bb0ac6c7 100644 --- a/apparmor.d/groups/utils/losetup +++ b/apparmor.d/groups/utils/losetup @@ -10,18 +10,23 @@ include profile losetup @{exec_path} { include include + include capability dac_override, capability dac_read_search, - unix (receive) type=stream, + unix receive type=stream, @{exec_path} mr, - @{sys}/devices/**/usb[0-9]/{,**} r, + @{user_img_dirs}/** rw, + @{user_vm_dirs}/** rw, + + @{sys}/block/ r, + @{sys}/devices/virtual/block/loop@{int}/{,**} r, /dev/loop-control rw, - /dev/loop[0-9]* rw, + /dev/loop@{int} rw, include if exists } diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/groups/utils/sulogin index 556808ae..ccf7216e 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -9,9 +9,12 @@ include @{exec_path} = @{bin}/sulogin profile sulogin @{exec_path} { include + include include + capability checkpoint_restore, capability sys_admin, + capability sys_tty_config, @{exec_path} mr, @@ -22,9 +25,6 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, - /dev/ r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 0b48d63f..957164e8 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -52,6 +52,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/+thunderbolt:* r, @@ -73,14 +74,14 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/n@{int} r, @{sys}/**/ r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/resource r, + @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index d532bb8c..b5a1f3ab 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dmsetup profile dmsetup @{exec_path} { include + include include capability sys_admin, diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 326d156e..ac2ceb6e 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -16,6 +16,7 @@ profile hostname @{exec_path} { capability sys_admin, network inet dgram, + network inet6 dgram, # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw,