lokinet
/
lokinet
3
1
Fork 1
Code Issues 7 Pull Requests 2 Projects Releases Wiki Activity

update apparmor profile: 

add nameservice abstraction
give profile a name
allow to read conf, tmp files, etc.
remove /lib/@{multiarch}/ld-*.so mr, already covered by abstractions/base
allow local additions
stable
Anton Nesterov 2021-02-05 20:16:57 +00:00
parent c5a423d3f8
commit da2c979936
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
contrib/apparmor/usr.bin.lokinet
View File

@ -1,8 +1,9 @@
# Last Modified: Sat May 4 18:48:24 2019
# Last Modified: Fri 05 Feb 2021 08:13:58 PM UTC
#include <tunables/global>
/usr/bin/lokinet {
profile lokinet /usr/bin/lokinet {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_admin,
capability net_bind_service,
@ -11,14 +12,16 @@
network inet6 dgram,
network netlink raw,
/etc/loki/lokinet.ini r,
/dev/net/tun rw,
/lib/@{multiarch}/ld-*.so mr,
/usr/bin/lokinet mr,
owner /var/lib/lokinet/ rw,
owner /var/lib/lokinet/** rwk,
owner @{HOME}/.lokinet/ rw,
owner @{HOME}/.lokinet/** rwk,
owner /{var/,}lib/lokinet/ rw,
owner /{var/,}lib/lokinet/** rwk,
owner ${HOME}/.lokinet/ rw,
owner ${HOME}/.lokinet/** rwk,
owner @{PROC}/@{pid}/task/@{pid}/comm rw,
owner /tmp/lokinet.*/{**,} rw,
#include if exists <local/usr.bin.lokinet>
}