avm/hassio-addons
1
0
Fork 0
mirror of https://github.com/alexbelgium/hassio-addons.git synced 2026-03-18 10:42:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
101ce9752f3fcf6f23942425a4a7aae4b44fac01
hassio-addons/manyfold/apparmor.txt
copilot-swe-agent[bot] 3c53e69161 Replace blanket capability, with specific capabilities in all AppArmor profiles 
Remove overly permissive blanket `capability,` rule (grants ALL Linux
capabilities) from 107 addon AppArmor profiles. Replace with only the
specific capabilities each addon needs based on its config.yaml
`privileged` field.

Base capabilities for all addons: setuid, setgid, chown, fowner, dac_override
Additional capabilities mapped from config.yaml privileged list:
- SYS_ADMIN -> sys_admin
- DAC_READ_SEARCH -> dac_read_search
- NET_ADMIN -> net_admin
- NET_RAW -> net_raw
- SYS_RAWIO -> sys_rawio
- SYS_TIME -> sys_time
- SYS_RESOURCE -> sys_resource

Addons with full_access: true (portainer_agent) retain blanket capability.

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>
2026-03-17 07:42:05 +00:00

23 lines
584 B
Plaintext
Raw Blame History

#include <tunables/global>
profile hassio-addons/manyfold flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
#include <abstractions/openssl>
# Baseline profile for Manyfold in HAOS. Keep broad compatibility while
# denying known high-risk kernel interfaces.
file,
network,
capability chown,
capability dac_override,
capability fowner,
capability setgid,
capability setuid,
deny /proc/kcore rwklx,
deny /proc/sysrq-trigger rwklx,
deny /sys/firmware/** rwklx,
}
Reference in New Issue View Git Blame Copy Permalink