mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-09 11:45:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(profile): update systemd profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-11-12 20:36:18 +00:00
parent 6f14d025e9
commit ebd6d54733
Failed to generate hash of commit
7 changed files with 11 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
apparmor.d/groups/systemd/hostnamectl
View file

@ -14,6 +14,8 @@ profile hostnamectl @{exec_path} {
capability net_admin, capability net_admin,
unix bind type=stream addr=@@{hex16}/bus/hostnamectl/system,
#aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
@{exec_path} mr, @{exec_path} mr,

1
apparmor.d/groups/systemd/systemd-cgls
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-cgls @{exec_path} = @{bin}/systemd-cgls
profile systemd-cgls @{exec_path} { profile systemd-cgls @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/bus-system>
capability sys_ptrace, capability sys_ptrace,

3
apparmor.d/groups/systemd/systemd-logind
View file

@ -94,10 +94,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
@{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c226:@{int} r, # For /dev/dri/card*
@{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511
@{att}/@{run}/systemd/notify w,
@{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/ rw,
@{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/.#* rw,
@{run}/systemd/inhibit/@{int}{,.ref} rw, @{run}/systemd/inhibit/@{int}{,.ref} rw,
@{run}/systemd/notify rw,
@{run}/systemd/seats/ rw, @{run}/systemd/seats/ rw,
@{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/.#seat* rw,
@{run}/systemd/seats/seat@{int} rw, @{run}/systemd/seats/seat@{int} rw,

1
apparmor.d/groups/systemd/systemd-modules-load
View file

@ -13,6 +13,7 @@ profile systemd-modules-load @{exec_path} {
include <abstractions/common/systemd> include <abstractions/common/systemd>
capability net_admin, capability net_admin,
capability perfmon,
capability sys_module, capability sys_module,
@{exec_path} mr, @{exec_path} mr,

3
apparmor.d/groups/systemd/systemd-oomd
View file

@ -24,9 +24,10 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
/etc/systemd/oomd.conf r, /etc/systemd/oomd.conf r,
/etc/systemd/oomd.conf.d/{,**} r, /etc/systemd/oomd.conf.d/{,**} r,
@{att}/@{run}/systemd/notify w,
@{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.system.ManagedOOM rw,
@{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw,
@{run}/systemd/notify rw,
@{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cgroup.controllers r,
@{sys}/fs/cgroup/memory.* r, @{sys}/fs/cgroup/memory.* r,

3
apparmor.d/groups/systemd/systemd-timesyncd
View file

@ -34,9 +34,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
owner /var/lib/systemd/timesync/clock rw, owner /var/lib/systemd/timesync/clock rw,
@{att}/@{run}/systemd/notify rw,
@{run}/resolvconf/*.conf r, @{run}/resolvconf/*.conf r,
@{run}/systemd/netif/state r, @{run}/systemd/netif/state r,
@{run}/systemd/notify rw,
@{run}/systemd/timesyncd.conf.d/{,**} r, @{run}/systemd/timesyncd.conf.d/{,**} r,
owner @{run}/systemd/timesync/synchronized rw, owner @{run}/systemd/timesync/synchronized rw,

1
apparmor.d/groups/systemd/systemd-udevd
View file

@ -21,6 +21,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
capability fsetid, capability fsetid,
capability mknod, capability mknod,
capability net_admin, capability net_admin,
capability perfmon,
capability sys_admin, capability sys_admin,
capability sys_module, capability sys_module,
capability sys_ptrace, capability sys_ptrace,