mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2024-11-16 00:13:48 +01:00
b52cbe564c
Fix: #4 See: https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/devices.txt
40 lines
1019 B
Plaintext
40 lines
1019 B
Plaintext
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2017-2021 Mikhail Morfikov
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = /{usr/,}{s,}bin/hddtemp
|
|
profile hddtemp @{exec_path} {
|
|
include <abstractions/base>
|
|
|
|
# To remove the following errors:
|
|
# /dev/sda: Permission denied
|
|
capability sys_rawio,
|
|
|
|
# There's the following error in strace:
|
|
# ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied)
|
|
# This should be covered by CAP_SYS_RAWIO instead.
|
|
# (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst)
|
|
# It looks like hddtemp works just fine without it.
|
|
deny capability sys_admin,
|
|
|
|
network inet stream,
|
|
network inet6 stream,
|
|
|
|
@{exec_path} mr,
|
|
|
|
# Monitored hard drives
|
|
/dev/sd[a-z]* r,
|
|
|
|
# Database file that allows hddtemp to recognize supported drives
|
|
/etc/hddtemp.db r,
|
|
|
|
# Needed when the hddtemp daemon is started in the TCP/IP mode
|
|
/etc/gai.conf r,
|
|
|
|
include if exists <local/hddtemp>
|
|
}
|