mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-31 07:17:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(fsp): rewrite mount rules for systemd.

Browse source
This commit is contained in:
Alexandre Pujol 2024-03-05 00:18:40 +00:00
parent 1699260a87
commit c80449719e
Failed to generate hash of commit
1 changed files with 36 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
apparmor.d/groups/_full/systemd
View file

@ -53,33 +53,45 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
network inet6 stream,
network netlink raw,
mount -> @{run}/systemd/incoming/,
mount -> @{run}/systemd/mount-rootfs/{,**},
mount -> @{run}/systemd/unit-root/{,**},
mount -> @{sys}/fs/fuse/connections/,
mount -> @{sys}/kernel/config/,
mount -> @{sys}/kernel/debug/,
mount -> @{sys}/kernel/tracing/,
mount -> /,
mount -> /dev/,
mount -> /dev/hugepages/,
mount -> /dev/mqueue/,
mount -> /efi/,
mount -> /tmp/,
mount @{run}/systemd/namespace-@{rand6}/ -> @{run}/systemd/mount-rootfs/proc/,
mount @{run}/systemd/namespace-@{rand6}/dev/ -> @{run}/systemd/mount-rootfs/dev/,
mount /dev/*/ -> @{run}/systemd/namespace-@{rand6}/dev/*/,
mount /dev/ptmx -> @{run}/systemd/namespace-@{rand6}/dev/ptmx,
mount /dev/tty -> @{run}/systemd/namespace-@{rand6}/dev/tty,
mount /tmp/systemd-private-*/tmp/ -> @{run}/systemd/mount-rootfs/tmp/,
mount fstype=proc proc -> @{run}/systemd/namespace-@{rand6}/,
mount fstype=sysfs sysfs -> @{run}/systemd/namespace-@{rand6}/,
mount fstype=tmpfs tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
mount fstype=tmpfs tmpfs -> /dev/shm/,
mount fstype=ramfs ramfs -> /dev/shm/,
mount fstype=autofs systemd-1 -> /efi/,
mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/,
mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/,
mount fstype=tmpfs tmpfs -> /tmp/,
mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/,
mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/,
mount options=(rw move) -> @{sys}/fs/fuse/connections/,
mount options=(rw move) -> @{sys}/kernel/config/,
mount options=(rw move) -> @{sys}/kernel/debug/,
mount options=(rw move) -> @{sys}/kernel/tracing/,
mount options=(rw move) -> /dev/hugepages/,
mount options=(rw move) -> /dev/mqueue/,
mount options=(rw move) -> /efi/,
mount options=(rw move) -> /tmp/,
mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**},
mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**},
mount options=(rw rshared) -> /,
mount options=(rw rslave) -> /,
mount options=(rw rslave) -> /dev/,
mount options=(rw slave) -> @{run}/systemd/incoming/,
remount @{HOME}/{,**},
remount @{MOUNTS}/{,**},
remount @{run}/systemd/mount-rootfs/{,**},
remount /,
remount options=(ro nosuid bind) /dev/,
remount options=(ro nosuid nodev bind) /dev/hugepages/,
remount options=(ro nosuid nodev bind) /var/,
remount options=(ro nosuid nodev noexec bind) /boot/,
remount options=(ro nosuid nodev noexec bind) /dev/mqueue/,
remount options=(ro nosuid noexec bind) /dev/pts/,
umount /,
umount /dev/shm/,
umount @{PROC}/sys/fs/binfmt_misc/,
umount @{run}/systemd/mount-rootfs/{,**},
umount @{run}/systemd/namespace-@{rand6}/{,**},
umount @{run}/systemd/unit-root/{,**},