profiles/apparmor.d/rygel: deny noise unneeded read of /sys

gst-plugin-scanner wants to try and scan hardware devices but since rygel itself doesn't actually use or need any access to such devices the access to these can be denied and any log spam silenced via an explicit denial rule. Signed-off-by: Alex Murray <alex.murray@canonical.com>
2025-03-04 08:24:42 +01:00 · 2024-08-23 19:45:30 +09:30 · 2024-08-23 19:45:30 +09:30 · df189243d1
commit df189243d1
parent 37555e876c
1 changed files with 5 additions and 3 deletions
--- a/profiles/apparmor.d/rygel
+++ b/profiles/apparmor.d/rygel
@ -22,8 +22,10 @@ profile rygel /usr/bin/rygel {
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice>

-  # is not actually needed so deny it
-  deny file r /dev/{,**},
+  # gst-plugin-scanner tries to probe various things but is not really needed so
+  # deny it
+  deny file r /{dev,sys}/{,**},
+
  file r @{etc_ro}/rygel.conf,

  file mr /usr/bin/rygel,
@ -92,7 +94,7 @@ profile rygel /usr/bin/rygel {
    include <abstractions/dbus-session-strict>

    # is not actually needed so deny it
-    deny file r /dev/{,**},
+    deny file r /{dev,sys}/{,**},

    file mr /usr/libexec/rygel/mx-extract,
    file r  /usr/share/gupnp-dlna-2.0/dlna-profiles/{,*},