Add support for tlp #585
Add support for tlp #585
Conversation
apparmor.d/profiles-s-z/tlp
Outdated
|
|
||
| @{bin}/systemctl rix, | ||
| @{bin}/logger rix, | ||
| @{shells_path} rix, |
There was a problem hiding this comment.
That should be @{sh_path} (shell_path is for interactive shell and logging system using that use the user shell).
apparmor.d/profiles-s-z/tlp
Outdated
| owner / r, | ||
|
|
||
| owner /etc/tlp.d/ r, | ||
| owner /etc/tlp.d/** rw, | ||
| owner /etc/udev/udev.conf r, |
There was a problem hiding this comment.
Do not use owner in this context. It would prevent any non root user to use the program.
apparmor.d/profiles-s-z/tlp
Outdated
| @{bin}/iw rpx, | ||
| @{bin}/hdparm rix, | ||
| @{bin}/uname rpx, | ||
| @{bin}/udevadm rix, |
There was a problem hiding this comment.
udevadm should be used in a subprofile: https://apparmor.pujol.io/development/abstractions/#appudevadm
Then, all rule that will go in the subprofile will have to be removed from the main one.
apparmor.d/profiles-s-z/tlp
Outdated
| owner /usr/share/tlp/** rw, | ||
| owner /usr/share/tlp/func.d/** rw, |
There was a problem hiding this comment.
No owner here.
It is highly unlikely that tlp needs to write something in /usr/share (this folder is considered read-only)
apparmor.d/profiles-s-z/tlp
Outdated
|
|
||
| /usr/share/tlp/tlp-readconfs rw, | ||
|
|
||
| /var/lib/power-profiles-daemon/{,**} rw, |
There was a problem hiding this comment.
This should be restricted: as it write files on another program var, only the specific file names should be allowed and not everything.
apparmor.d/profiles-s-z/tlp
Outdated
| /var/lib/power-profiles-daemon/{,**} rw, | ||
|
|
||
| owner /usr/share/tlp/bat.d/** rw, | ||
| owner /usr/share/perl5/core_perl/** r, |
There was a problem hiding this comment.
You don't seems to used perl here, so this should not be here.
If perl is really needed, use the perl abstraction instead.
apparmor.d/profiles-s-z/tlp
Outdated
|
|
||
| @{sys}/firmware/acpi/platform_profile* rw, | ||
| @{sys}/firmware/acpi/pm_profile* rw, | ||
| @{sys}/devices/virtusl/** rw, |
There was a problem hiding this comment.
there is a typo: virtual/. Also full write access to it is too wide.
|
Thanks for this PR. I have added a few minor comments. Once resolved, it will be ready to merge. You should use the |
apparmor.d/profiles-g-l/hdparm
Outdated
| # interaction with tlp | ||
| owner @{sys}/devices/@{pci}/ta@{int}/host@{int}/**/**/power/autosuspend_delay_ms r, | ||
| owner @{sys}/devices/@{pci}/ta@{int}/host@{int}/scsi_host/host0/link_power_management_policy rw, | ||
| owner @{sys}/devices/@{pci}/ta@{int}/host@{int}/target*/**/block/{sda,sr0}/* r, | ||
| owner @{sys}/devices/@{pci}/ta@{int}/host@{int}/target*/**/block/{sda,sr0}/dev r, | ||
| owner @{sys}/devices/@{pci}/ta@{int}/host@{int}/target*/**/block/sda/sda@{int}/dev r, | ||
| owner @{sys}/devices/@{pci}/ta@{int}/host@{int}/target*/**/block/sda@{int}/dev r, | ||
|
|
There was a problem hiding this comment.
Most of this should be covered by disk-read.
Note: you cannot have path specific to a given hardware in a rule. Eg: sda sr0, scsi_host, host0. We aim at supporting all distribution and all kind of hardware, therefore, it should also work with sdb, an ssd... Luckily disk-read already handle all of this.
Only add rule here for @{sys} path when writing is needed.
apparmor.d/profiles-s-z/tlp
Outdated
| /dev/disk/by-id/ r, | ||
| owner /dev/sda r, |
apparmor.d/profiles-s-z/tlp
Outdated
| @{sys}/bus/ r, | ||
| owner @{sys}/bus/pci/drivers/nouveau/ r, | ||
| owner @{sys}/devices/@{pci}/ r, | ||
| owner @{sys}/devices/@{pci}/power/control rw, | ||
| owner @{sys}/devices/@{pci}/ta@{int}/host@{int}/scsi_host/ r, | ||
| owner @{sys}/devices/@{pci}/ta@{int}/host@{int}/scsi_host/host@{int}/link_power_management_policy rw, | ||
| @{sys}/bus/platform/devices/ r, | ||
| @{sys}/class/ r, | ||
| @{sys}/class/power_supply/ r, | ||
| @{sys}/devices/@{pci}/uevent r, | ||
| @{sys}/devices/**/power_supply/*/scope r, | ||
| @{sys}/devices/**/power_supply/*/uevent r, | ||
| @{sys}/devices/platform/**/uevent r, | ||
| @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, | ||
| @{sys}/devices/system/cpu/*_pstate/status r, | ||
| @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, | ||
| @{sys}/devices/system/cpu/cpufreq/ r, | ||
| @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, | ||
| @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw, | ||
| owner @{sys}/bus/pci/drivers/mei_me/ r, | ||
| owner @{sys}/bus/pci/devices/ r, | ||
| owner @{sys}/block/ r, | ||
| owner @{sys}/class/net/ r, | ||
| owner @{sys}/devices/platform/**/**/** r, | ||
| owner @{sys}/devices/virtual/block/loop@{int}/ r, | ||
| owner @{sys}/devices/virtual/block/loop@{int}/dev r, | ||
| owner @{sys}/devices/virtual/net/lo/uevent r, | ||
| owner @{sys}/devices/virtual/dmi/id/product_version rw, | ||
| owner @{sys}/class/drm/ rw, | ||
| owner @{sys}/module/pcie_aspm/parameters/policy rw, | ||
| owner @{sys}/module/snd_hda_intel/parameters/power_save rw, | ||
| owner @{sys}/module/snd_hda_intel/parameters/power_save_controller rw, |
There was a problem hiding this comment.
Use disk-read here too. Only keep what has not been defined in disk-read as well as the few write access.
apparmor.d/profiles-s-z/tlp
Outdated
| @{bin}/rm rix, | ||
| @{bin}/id rpx, | ||
| @{bin}/iw rpx, | ||
| @{bin}/hdparm rix, |
There was a problem hiding this comment.
Use the profile instead: @{bin}/hdparm rPx,
It should also make a few rule in tlp not needed anymore as they are part of hdparam (possibly all disk related one).
apparmor.d/profiles-s-z/tlp
Outdated
| @{bin}/id rpx, | ||
| @{bin}/iw rpx, |
ok checking what remains to be added
perl is needed
checked wich @{sys} additions were needed
| @@ -10,6 +10,7 @@ include <tunables/global> | |||
| @{exec_path} = @{bin}/hdparm | |||
| profile hdparm @{exec_path} flags=(complain) { | |||
| include <abstractions/base> | |||
| include <abstractions/disks-read> | |||
apparmor.d/profiles-s-z/tlp
Outdated
| /usr/share/tlp/** rw, | ||
| /usr/share/tlp/func.d/** rw, | ||
|
|
||
| /usr/share/tlp/tlp-readconfs rw, |
There was a problem hiding this comment.
rw is still a no go here. The first rule include the other ones.
apparmor.d/profiles-s-z/tlp
Outdated
|
|
||
| /var/lib/power-profiles-daemon/state.ini rw, | ||
|
|
||
| owner /usr/share/tlp/bat.d/** rw, |
There was a problem hiding this comment.
That rule is included by the other share/tlp ones
apparmor.d/profiles-s-z/tlp
Outdated
| @{run}/udev/data/+platform:* r, | ||
| owner @{run}/tlp/* rw, | ||
| owner @{run}/tlp/lock_tlp rwk, | ||
| owner @{run}/udev/data/b@{int}:@{int} r, |
apparmor.d/profiles-s-z/tlp
Outdated
| /etc/tlp.d/ r, | ||
| /etc/tlp.d/** rw, | ||
| /etc/tlp.conf rw, | ||
| /etc/udev/udev.conf r, |
There was a problem hiding this comment.
Since udevadm is not part of the profile. This rule might not be needed anymore.
apparmor.d/profiles-s-z/tlp
Outdated
| @{sys}/devices/LNXSYSTM:@{rand2}/**/power_supply/BAT@{int}/type r, | ||
| @{sys}/devices/LNXSYSTM:@{rand2}/**/**/power_supply/BAT@{int}/type r, | ||
| @{sys}/devices/LNXSYSTM:@{rand2}/**/**/power_supply/BAT@{int}/present r, |
There was a problem hiding this comment.
It should be:
| @{sys}/devices/LNXSYSTM:@{rand2}/**/power_supply/BAT@{int}/type r, | |
| @{sys}/devices/LNXSYSTM:@{rand2}/**/**/power_supply/BAT@{int}/type r, | |
| @{sys}/devices/LNXSYSTM:@{rand2}/**/**/power_supply/BAT@{int}/present r, | |
| @{sys}/devices/**/power_supply/BAT@{int}/type r, | |
| @{sys}/devices/**/power_supply/BAT@{int}/present r, |
apparmor.d/profiles-s-z/tlp
Outdated
| owner /dev/sda r, | ||
| /dev/tty rw, | ||
|
|
||
| include if exists <local/tlp> |
There was a problem hiding this comment.
Please move this include after the subprofiles.
apparmor.d/profiles-s-z/tlp
Outdated
|
|
||
| @{exec_path} mr, | ||
|
|
||
| @{bin}/systemctl rix, |
There was a problem hiding this comment.
In a subprofile: https://apparmor.pujol.io/development/abstractions/#appsystemctl
No description provided.