add network capability

2026-06-06 07:35:56 +02:00 · 2022-01-25 09:42:36 +01:00
parent 4dd0e8dd1f
commit afc7f27686
51 changed files with 1044 additions and 285 deletions
--- a/scrutiny/apparmor.txt
+++ b/scrutiny/apparmor.txt
@@ -2,9 +2,10 @@

 profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
-  
+
  capability,
  file,
+  signal,
  mount,
  umount,
  remount,
@@ -19,8 +20,8 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) {
  capability setgid,
  capability setuid,
  capability dac_override,
-  capability sys_admin, 
-  capability dac_read_search, 
+  capability sys_admin,
+  capability dac_read_search,
  capability sys_rawio,

 # S6-Overlay
@@ -35,11 +36,11 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) {
  /init rix,
  /var/run/** mrwkl,
  /var/run/ mrwkl,
-  /dev/i2c-1 mrwkl, 
+  /dev/i2c-1 mrwkl,
  # Files required
  /dev/sda1 mrwkl,
  /dev/sdb1 mrwkl,
-  /dev/mmcblk0p1 mrwkl, 
+  /dev/mmcblk0p1 mrwkl,
  /dev/* mrwkl,
  /tmp/** mrkwl,
  /dev/sda mrwkl,
@@ -54,13 +55,13 @@ profile db21ed7f_scrutiny flags=(attach_disconnected,mediate_deleted) {
  /dev/nvme2 mrwkl,
  /dev/nvme3 mrwkl,
  /dev/nvme4 mrwkl,
-  
+
  # Data access
-  /data/** rw, 
+  /data/** rw,

  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
  ptrace (trace,read) peer=docker-default,
- 
+
  # docker daemon confinement requires explict allow rule for signal
  signal (receive) set=(kill,term) peer=/usr/bin/docker,