mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

profiles/apparmor.d/rygel: allow specific access for /dev bits

Browse source 
It turns out we need to allow /dev/null for fd inheritance and /dev for reading
plus /dev/urandom, all of which are quite safe.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
This commit is contained in:
Alex Murray 2024-12-09 13:29:34 +10:30
parent 3731488ab6
commit 46d994ddcd
Failed to generate hash of commit
1 changed files with 4 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
profiles/apparmor.d/rygel
View file

@ -22,9 +22,8 @@ profile rygel /usr/bin/rygel {
include <abstractions/freedesktop.org>
include <abstractions/nameservice>
# gst-plugin-scanner tries to probe various things but is not really needed so
# deny it
deny file r /{dev,sys}/{,**},
# gst-plugin-scanner tries to probe various things and inherit fds
file r /dev/{,urandom,null},
file r @{etc_ro}/rygel.conf,
@ -93,8 +92,8 @@ profile rygel /usr/bin/rygel {
include <abstractions/base>
include <abstractions/dbus-session-strict>
# is not actually needed so deny it
deny file r /{dev,sys}/{,**},
# gst-plugin-scanner tries to probe various things and inherit fds
file r /dev/{,urandom,null},
file mr /usr/libexec/rygel/mx-extract,
file r /usr/share/gupnp-dlna-2.0/dlna-profiles/{,*},