Add profile for rpcbind

2025-08-31 22:35:35 +00:00 · 2023-04-17 22:11:00 -04:00
parent 8d9985ac0b
commit 408e148109
1 changed files with 32 additions and 0 deletions
--- a/profiles/apparmor/profiles/extras/rpcbind
+++ b/profiles/apparmor/profiles/extras/rpcbind
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+# Author: Daniel Richard G. <skunk@iSKUNK.ORG>
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile rpcbind /{usr/,}sbin/rpcbind {
+  include <abstractions/base>
+  include <abstractions/hosts_access>
+  include <abstractions/nameservice>
+
+  # needed to sanely drop privileges
+  capability setgid,
+  capability setuid,
+
+  network inet dgram,
+  network inet6 dgram,
+
+  /etc/default/rpcbind             r,
+  /etc/netconfig                   r,
+  /etc/rpcbind.conf                r,
+  /{usr/,}sbin/rpcbind             mrix,
+  @{run}/rpcbind.lock              rwk,
+  @{run}/rpcbind.sock              rwk,
+  @{run}/rpcbind/portmap.xdr       rw,
+  @{run}/rpcbind/rpcbind.xdr       rw,
+  @{run}/systemd/notify            w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/rpcbind>
+}