mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

Merge added systemd-creds to list of wg-quick binaries

Browse Source 
I'd like to store my wg creds in my TPM module using `systemd-creds`:

```bash
PostUp = systemd-creds --name wg0 decrypt /etc/wireguard/secrets/wg0.cred | wg set wg0 private-key /dev/stdin
```

Currently I use `local/wg-quick` as work-around.
The `Ux` permission is may be a little too open, but 2 problems remain:

- the profile maintainer can't know which creds file need to be accessible
- different TMP module implementations / drivers may require different permissions

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1644
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2025-07-30 08:34:49 +00:00
commit 87e0151c7c
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
profiles/apparmor.d/wg-quick
View File

@ -35,6 +35,7 @@ profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) {
file mrix /usr/sbin/xtables-nft-multi, file mrix /usr/sbin/xtables-nft-multi,
file mrix /usr/bin/resolvectl, file mrix /usr/bin/resolvectl,
file mrix /usr/sbin/resolvconf, file mrix /usr/sbin/resolvconf,
file PUx /usr/bin/systemd-creds,
# dbus access # dbus access
file rw @{run}/dbus/system_bus_socket, file rw @{run}/dbus/system_bus_socket,