mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 01:57:43 +00:00
2737cb2c2b
Moving apply_and_clear_deny() before the first minimization pass, which was necessary to propperly support building accept information for older none extended permission dfas, allows us to also get rid of doing a second minimization pass if we want to force clearing explicit deny info from extended permission tables. Signed-off-by: John Johansen <john.johansen@canonical.com>
69 lines
1.1 KiB
Plaintext
69 lines
1.1 KiB
Plaintext
capability {0xffffff
|
|
}
|
|
caps {extended {yes
|
|
}
|
|
mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read perfmon bpf checkpoint_restore
|
|
}
|
|
}
|
|
dbus {mask {acquire send receive
|
|
}
|
|
}
|
|
domain {attach_conditions {xattr {yes
|
|
}
|
|
}
|
|
change_hat {yes
|
|
}
|
|
change_hatv {yes
|
|
}
|
|
change_onexec {yes
|
|
}
|
|
change_profile {yes
|
|
}
|
|
computed_longest_left {yes
|
|
}
|
|
disconnected.path {yes
|
|
}
|
|
fix_binfmt_elf_mmap {yes
|
|
}
|
|
interruptible {yes
|
|
}
|
|
kill.signal {yes
|
|
}
|
|
post_nnp_subset {yes
|
|
}
|
|
stack {yes
|
|
}
|
|
unconfined_allowed_children {yes
|
|
}
|
|
version {1.2
|
|
}
|
|
}
|
|
policy {outofband {0x000001
|
|
}
|
|
permstable32 {allow deny subtree cond kill complain prompt audit quiet hide xindex tag label
|
|
}
|
|
permstable32_version {0x000003
|
|
}
|
|
set_load {yes
|
|
}
|
|
versions {v5 {yes
|
|
}
|
|
v6 {yes
|
|
}
|
|
v7 {yes
|
|
}
|
|
v8 {yes
|
|
}
|
|
v9 {yes
|
|
}
|
|
}
|
|
}
|
|
query {label {data {yes
|
|
}
|
|
multi_transaction {yes
|
|
}
|
|
perms {allow deny audit quiet
|
|
}
|
|
}
|
|
}
|