From c047abcaf3d59ae0cde48bc2897a85eba15a4373 Mon Sep 17 00:00:00 2001 From: Daniel Richard G Date: Mon, 30 Jul 2018 22:48:04 -0400 Subject: [PATCH] sbin.rpc.statd: updated so that it actually works. --- .../apparmor/profiles/extras/sbin.rpc.statd | 37 +++++++++++++++---- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/profiles/apparmor/profiles/extras/sbin.rpc.statd b/profiles/apparmor/profiles/extras/sbin.rpc.statd index 82298e466..7a602abc0 100644 --- a/profiles/apparmor/profiles/extras/sbin.rpc.statd +++ b/profiles/apparmor/profiles/extras/sbin.rpc.statd @@ -13,17 +13,38 @@ profile rpc.statd /{usr/,}sbin/rpc.statd { #include #include + + # needed to sanely drop privileges + capability setgid, + capability setuid, + + # changes ownership of pidfile + capability chown, + + # not sure why this is needed + capability setpcap, + + owner @{PROC}/@{pid}/fd/ r, + @{PROC}/fs/lockd/nlm_end_grace w, + @{PROC}/sys/fs/nfs/** r, + @{PROC}/sys/fs/nfs/nsm_local_state w, + + /etc/netconfig r, /etc/rpc r, - /{usr/,}sbin/rpc.statd rmix, - /sm rw, - /sm.bak rw, - /state rw, + /{usr/,}sbin/rpc.statd mrix, + /{usr/,}sbin/sm-notify mrix, + /var/lib/nfs/sm/ r, /var/lib/nfs/sm/* rw, - /var/lib/nfs/statd rw, - /var/lib/nfs/statd/sm r, + /var/lib/nfs/sm.bak/ r, + /var/lib/nfs/statd/ rw, + /var/lib/nfs/statd/sm/ r, /var/lib/nfs/statd/sm/* rwl, /var/lib/nfs/statd/state rw, - /var/lib/nfs/statd/sm.bak r, + /var/lib/nfs/statd/sm.bak/ r, /var/lib/nfs/statd/sm.bak/* rwl, - /{,var/}run/rpc.statd.pid w, + /var/lib/nfs/state rwk, + /var/lib/nfs/state.new rwl, + /{,var/}run/rpc.statd.pid w, + /{,var/}run/rpcbind.sock rw, + /{,var/}run/sm-notify.pid w, }