sbin.rpc.statd: updated so that it actually works.

2025-08-29 21:38:15 +00:00 · 2018-07-30 22:48:04 -04:00 · 2018-07-30 22:48:04 -04:00 · c047abcaf3
commit c047abcaf3
parent ac1d0545f4
1 changed files with 29 additions and 8 deletions
--- a/profiles/apparmor/profiles/extras/sbin.rpc.statd
+++ b/profiles/apparmor/profiles/extras/sbin.rpc.statd
@ -13,17 +13,38 @@
 profile rpc.statd /{usr/,}sbin/rpc.statd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  # needed to sanely drop privileges
  capability setgid,
  capability setuid,
  # changes ownership of pidfile
  capability chown,
  # not sure why this is needed
  capability setpcap,
  owner @{PROC}/@{pid}/fd/         r,
  @{PROC}/fs/lockd/nlm_end_grace   w,
  @{PROC}/sys/fs/nfs/**            r,
  @{PROC}/sys/fs/nfs/nsm_local_state w,
  /etc/netconfig                   r,
  /etc/rpc                         r,
-  /{usr/,}sbin/rpc.statd           rmix,
+  /{usr/,}sbin/rpc.statd           mrix,
-  /sm                              rw,
+  /{usr/,}sbin/sm-notify           mrix,
-  /sm.bak                          rw,
+  /var/lib/nfs/sm/                 r,
  /state                           rw,
  /var/lib/nfs/sm/*                rw,
-  /var/lib/nfs/statd               rw,
+  /var/lib/nfs/sm.bak/             r,
-  /var/lib/nfs/statd/sm            r,
+  /var/lib/nfs/statd/              rw,
  /var/lib/nfs/statd/sm/           r,
  /var/lib/nfs/statd/sm/*          rwl,
  /var/lib/nfs/statd/state         rw,
-  /var/lib/nfs/statd/sm.bak        r,
+  /var/lib/nfs/statd/sm.bak/       r,
  /var/lib/nfs/statd/sm.bak/*      rwl,
-  /{,var/}run/rpc.statd.pid           w,
+  /var/lib/nfs/state               rwk,
  /var/lib/nfs/state.new           rwl,
  /{,var/}run/rpc.statd.pid        w,
  /{,var/}run/rpcbind.sock         rw,
  /{,var/}run/sm-notify.pid        w,
 }