From 5b874f45f35e1b0575c74abd7e846714620534d5 Mon Sep 17 00:00:00 2001 From: Allen Huang Date: Thu, 6 Feb 2025 11:32:58 +0000 Subject: [PATCH 1/4] Add iotop-c profile Signed-off-by: Allen Huang --- profiles/apparmor.d/usr.sbin.iotop-c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 profiles/apparmor.d/usr.sbin.iotop-c diff --git a/profiles/apparmor.d/usr.sbin.iotop-c b/profiles/apparmor.d/usr.sbin.iotop-c new file mode 100644 index 000000000..b4a4a9f0f --- /dev/null +++ b/profiles/apparmor.d/usr.sbin.iotop-c @@ -0,0 +1,24 @@ +abi , + +include + +/usr/sbin/iotop-c { + include + include + include + + capability net_admin, + capability sys_admin, + + /proc/*/cmdline r, + /proc/*/task/ r, + /usr/sbin/iotop-c mr, + owner /etc/nsswitch.conf r, + owner /etc/passwd r, + owner /proc/ r, + owner /proc/sys/kernel/task_delayacct rw, + owner /proc/vmstat r, + owner /root/.config/iotop/iotoprc rw, + +} + From 7bd505aa6514ce30f1fb7e3df832d2b0a783f836 Mon Sep 17 00:00:00 2001 From: Allen Huang Date: Thu, 6 Feb 2025 14:29:09 +0000 Subject: [PATCH 2/4] profiles/iotop-c: add profile name and rename the file Signed-off-by: Allen Huang --- profiles/apparmor.d/{usr.sbin.iotop-c => iotop-c} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename profiles/apparmor.d/{usr.sbin.iotop-c => iotop-c} (92%) diff --git a/profiles/apparmor.d/usr.sbin.iotop-c b/profiles/apparmor.d/iotop-c similarity index 92% rename from profiles/apparmor.d/usr.sbin.iotop-c rename to profiles/apparmor.d/iotop-c index b4a4a9f0f..0b7dc794f 100644 --- a/profiles/apparmor.d/usr.sbin.iotop-c +++ b/profiles/apparmor.d/iotop-c @@ -2,7 +2,7 @@ abi , include -/usr/sbin/iotop-c { +profile iotop-c /usr/sbin/iotop-c { include include include From e53cda33a30b9f8536db602fcdfda14a5aa6d82b Mon Sep 17 00:00:00 2001 From: Allen Huang Date: Thu, 6 Feb 2025 14:52:39 +0000 Subject: [PATCH 3/4] profiles/iotop-c: use @{HOME} Signed-off-by: Allen Huang --- profiles/apparmor.d/iotop-c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/apparmor.d/iotop-c b/profiles/apparmor.d/iotop-c index 0b7dc794f..4571540b5 100644 --- a/profiles/apparmor.d/iotop-c +++ b/profiles/apparmor.d/iotop-c @@ -18,7 +18,7 @@ profile iotop-c /usr/sbin/iotop-c { owner /proc/ r, owner /proc/sys/kernel/task_delayacct rw, owner /proc/vmstat r, - owner /root/.config/iotop/iotoprc rw, + owner @{HOME}/.config/iotop/iotoprc rw, } From 0c4f70d81b396297de463347c95178cc4aca3da3 Mon Sep 17 00:00:00 2001 From: Allen Huang Date: Fri, 7 Feb 2025 13:40:14 +0000 Subject: [PATCH 4/4] profiles/iotop-c: remove `owner`, redundant rules - Remove `owner` in /proc/ rules to enable non-root users - add "include if exists" line to pass the pipeline - change to smaller Signed-off-by: Allen Huang --- profiles/apparmor.d/iotop-c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/profiles/apparmor.d/iotop-c b/profiles/apparmor.d/iotop-c index 4571540b5..fc473e7ce 100644 --- a/profiles/apparmor.d/iotop-c +++ b/profiles/apparmor.d/iotop-c @@ -5,7 +5,7 @@ include profile iotop-c /usr/sbin/iotop-c { include include - include + include capability net_admin, capability sys_admin, @@ -13,12 +13,10 @@ profile iotop-c /usr/sbin/iotop-c { /proc/*/cmdline r, /proc/*/task/ r, /usr/sbin/iotop-c mr, - owner /etc/nsswitch.conf r, - owner /etc/passwd r, - owner /proc/ r, - owner /proc/sys/kernel/task_delayacct rw, - owner /proc/vmstat r, + /proc/ r, + /proc/sys/kernel/task_delayacct rw, + /proc/vmstat r, owner @{HOME}/.config/iotop/iotoprc rw, + include if exists } -