feat(profile): add some unix rules with local address.

This commit is contained in:
Alexandre Pujol 2024-02-29 21:15:59 +00:00
parent 956c282794
commit f76051f114
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
9 changed files with 14 additions and 0 deletions

View File

@ -14,6 +14,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
include <abstractions/dconf-write> include <abstractions/dconf-write>
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
signal (receive) set=(cont, term) peer=@{systemd_user},
signal (receive) set=term peer=ibus-daemon, signal (receive) set=term peer=ibus-daemon,
unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),

View File

@ -20,6 +20,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/opencl> include <abstractions/opencl>
signal (receive) set=(cont, term) peer=@{systemd_user},
unix (connect, receive, send) type=stream peer=(label=ibus-daemon), unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
network inet stream, network inet stream,

View File

@ -19,6 +19,7 @@ profile plymouthd @{exec_path} {
network netlink raw, network netlink raw,
signal (send) peer=unconfined, signal (send) peer=unconfined,
signal (send) set=(rtmin+23) peer=@{systemd},
signal (send) set=(rtmin+23) peer=systemd-shutdown, signal (send) set=(rtmin+23) peer=systemd-shutdown,
ptrace (read) peer=plymouth, ptrace (read) peer=plymouth,

View File

@ -47,6 +47,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
signal (send) set=hup peer=xwayland, signal (send) set=hup peer=xwayland,
signal (send) set=term peer=gdm-*-session, signal (send) set=term peer=gdm-*-session,
unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system,
dbus send bus=system path=/org/freedesktop/login1 dbus send bus=system path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager interface=org.freedesktop.login1.Manager
member=*Session member=*Session

View File

@ -10,6 +10,8 @@ include <tunables/global>
profile gcr-ssh-agent @{exec_path} { profile gcr-ssh-agent @{exec_path} {
include <abstractions/base> include <abstractions/base>
signal (receive) set=(cont, term) peer=@{systemd_user},
@{exec_path} mr, @{exec_path} mr,
include if exists <local/gcr-ssh-agent> include if exists <local/gcr-ssh-agent>

View File

@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} {
include <abstractions/nameservice-strict> include <abstractions/nameservice-strict>
include <abstractions/openssl> include <abstractions/openssl>
signal (receive) set=(cont term) peer=@{systemd_user},
signal (receive) set=term peer=cockpit-bridge, signal (receive) set=term peer=cockpit-bridge,
signal (receive) set=term peer=gnome-keyring-daemon, signal (receive) set=term peer=gnome-keyring-daemon,

View File

@ -17,6 +17,8 @@ profile busctl @{exec_path} {
ptrace (read), ptrace (read),
unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
@{exec_path} mr, @{exec_path} mr,
@{bin}/less rPx -> child-pager, @{bin}/less rPx -> child-pager,

View File

@ -17,6 +17,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
# Needed? # Needed?
audit capability net_admin, audit capability net_admin,
unix (bind) type=stream addr=@@{hex}/bus/systemd-localed/system,
# dbus: own bus=system name=org.freedesktop.locale1 # dbus: own bus=system name=org.freedesktop.locale1
@{exec_path} mr, @{exec_path} mr,

View File

@ -22,6 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
network inet6 stream, network inet6 stream,
unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync, unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
unix (send, receive) type=dgram addr=none peer=(label=@{systemd}, addr=none),
# dbus: own bus=system name=org.freedesktop.timesync1 # dbus: own bus=system name=org.freedesktop.timesync1