Merge pull request #47 from mdegat01/aa-remove-bin-access

Remove access to bin directories
mdegat01 · Apr 12, 2021 · c859b6d · c859b6d
2 parents e92ad6e + 74746f9
commit c859b6d
Showing 1 changed file with 1 addition and 8 deletions.
diff --git a/loki/apparmor.txt b/loki/apparmor.txt
@@ -71,10 +71,6 @@ profile loki flags=(attach_disconnected,mediate_deleted) {
     # Send & receive tcp traffic
     network tcp,
 
-    # Executables
-    /bin/**                           rix,
-    /usr/bin/**                       rix,
-
     # Addon data
     /data/**                          r,
     /data/loki/**                     rwk,
@@ -84,6 +80,7 @@ profile loki flags=(attach_disconnected,mediate_deleted) {
     /share/**                         r,
 
     # Runtime usage
+    /usr/bin/loki                     rm,
     @{etc_ro}/hosts                   r,
     @{etc_ro}/resolv.conf             r,
     @{etc_ro}/nsswitch.conf           r,
@@ -108,10 +105,6 @@ profile loki flags=(attach_disconnected,mediate_deleted) {
     capability setgid,
     ptrace (read) peer=*_loki,
 
-    # Executables
-    /bin/**                           rix,
-    /usr/bin/**                       rix,
-
     # Config files
     @{etc_ro}/nginx/**                r,
     /ssl/**                           r,