oxen-io
/
lokinet
mirror of https://github.com/oxen-io/lokinet
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

update apparmor profile: 

add nameservice abstraction
give profile a name
allow to read conf, tmp files, etc.
remove /lib/@{multiarch}/ld-*.so mr, already covered by abstractions/base
allow local additions
This commit is contained in:
Anton Nesterov 2021-02-05 20:16:57 +00:00
parent c5a423d3f8
commit da2c979936
1 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
contrib/apparmor/usr.bin.lokinet
View File

@ -1,8 +1,9 @@
# Last Modified: Sat May 4 18:48:24 2019 # Last Modified: Fri 05 Feb 2021 08:13:58 PM UTC
#include <tunables/global> #include <tunables/global>
/usr/bin/lokinet { profile lokinet /usr/bin/lokinet {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/nameservice>
capability net_admin, capability net_admin,
capability net_bind_service, capability net_bind_service,
@ -11,14 +12,16 @@
network inet6 dgram, network inet6 dgram,
network netlink raw, network netlink raw,
/etc/loki/lokinet.ini r,
/dev/net/tun rw, /dev/net/tun rw,
/lib/@{multiarch}/ld-*.so mr,
/usr/bin/lokinet mr, /usr/bin/lokinet mr,
owner /var/lib/lokinet/ rw, owner /{var/,}lib/lokinet/ rw,
owner /var/lib/lokinet/** rwk, owner /{var/,}lib/lokinet/** rwk,
owner ${HOME}/.lokinet/ rw,
owner @{HOME}/.lokinet/ rw, owner ${HOME}/.lokinet/** rwk,
owner @{HOME}/.lokinet/** rwk, owner @{PROC}/@{pid}/task/@{pid}/comm rw,
owner /tmp/lokinet.*/{**,} rw,
#include if exists <local/usr.bin.lokinet>
} }