feat(fsp): update profile stack.

2024-11-15 16:03:51 +01:00 · 2024-03-10 21:17:50 +00:00 · 2024-03-10 21:17:50 +00:00 · ad8e5a9797
commit ad8e5a9797
parent 10ce0ba4a1
2 changed files with 6 additions and 6 deletions
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -32,7 +32,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability mknod,
  capability net_admin,
  capability perfmon,
@ -45,7 +44,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  capability sys_nice,
  capability sys_ptrace,
  capability sys_resource,
  capability sys_time,
  capability sys_tty_config,
  network inet dgram,
@ -85,6 +83,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  remount                                        @{MOUNTS}/{,**},
  remount                                        @{run}/systemd/mount-rootfs/{,**},
  remount                                        /,
  remount                                        /snap/{,**},
  remount options=(ro noexec noatime bind)       /var/snap/{,**},
  remount options=(ro nosuid bind)               /dev/,
  remount options=(ro nosuid nodev bind)         /dev/hugepages/,
  remount options=(ro nosuid nodev bind)         /var/,
@ -117,9 +117,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  # dbus: own bus=system name=org.freedesktop.systemd1
  # For stacked profiles
  # dbus: own bus=system name=org.freedesktop.oom1
  # dbus: own bus=system name=org.freedesktop.timesync1
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixUser
@ -143,6 +140,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  /etc/init.d/*                      Px,
  /usr/share/*/**                    Px,
  # stack: systemd-oomd systemd-timesyncd
  @{lib}/systemd/systemd-oomd       rPx -> systemd//&systemd-oomd,
  @{lib}/systemd/systemd-timesyncd  rPx -> systemd//&systemd-timesyncd,
--- a/apparmor.d/groups/_full/systemd-service
+++ b/apparmor.d/groups/_full/systemd-service
@ -34,6 +34,7 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
  @{bin}/grub-editenv  rPx,
  @{bin}/ibus-daemon   rPx,
  @{bin}/* r,
  @{lib}/ r,
  /var/cache/ldconfig/{,**} rw,
@ -47,7 +48,8 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
  # man-db.service
  /usr/{,local/}share/man/{,**} r,
-  /var/cache/man/{,**} rw,
+  /etc/manpath.config r,
  /var/cache/man/{,**} rwk,
  # snapd.system-shutdown.service
  @{run}/initramfs/shutdown rw,