|
| 1 | +#include <tunables/global> |
| 2 | + |
| 3 | +profile xiaomi_mi_scale flags=(attach_disconnected,mediate_deleted) { |
| 4 | + #include <abstractions/base> |
| 5 | + |
| 6 | + # Capabilities |
| 7 | + network, |
| 8 | + capability, |
| 9 | + file, |
| 10 | + |
| 11 | + # ### |
| 12 | + # included from https://github.com/edgexfoundry-holding/device-bluetooth-c/blob/main/docker-ble-policy |
| 13 | + # ### |
| 14 | + dbus (send, receive) bus=system peer=(name=org.bluez, label=unconfined), |
| 15 | + dbus (send, receive) bus=system interface=org.freedesktop.DBus peer=(label=unconfined), |
| 16 | + |
| 17 | + # ### |
| 18 | + # included from https://github.com/jdstrand/snapd/blob/4befc00e3318a3231e96b38b575bf6e637ddad6c/interfaces/builtin/bluez.go |
| 19 | + # ### |
| 20 | + dbus (receive, send) |
| 21 | + bus=system |
| 22 | + interface=org.bluez.* |
| 23 | + peer=(label=unconfined), |
| 24 | + dbus (receive, send) |
| 25 | + bus=system |
| 26 | + path=/org/bluez{,/**} |
| 27 | + interface=org.freedesktop.DBus.* |
| 28 | + peer=(label=unconfined), |
| 29 | + dbus (receive, send) |
| 30 | + bus=system |
| 31 | + path=/ |
| 32 | + interface=org.freedesktop.DBus.* |
| 33 | + peer=(label=unconfined), |
| 34 | + |
| 35 | + |
| 36 | + # ### |
| 37 | + # included from https://developers.home-assistant.io/docs/add-ons/presentation#apparmor |
| 38 | + # ### |
| 39 | + signal (send) set=(kill,term,int,hup,cont), |
| 40 | + |
| 41 | + # Receive signals from S6-Overlay |
| 42 | + signal (send,receive) peer=*_xiaomi_mi_scale, |
| 43 | + |
| 44 | + # S6-Overlay |
| 45 | + /init ix, |
| 46 | + /bin/** ix, |
| 47 | + /usr/bin/** ix, |
| 48 | + /run/{s6,s6-rc*,service}/** ix, |
| 49 | + /package/** ix, |
| 50 | + /command/** ix, |
| 51 | + /etc/services.d/** rwix, |
| 52 | + /etc/cont-init.d/** rwix, |
| 53 | + /etc/cont-finish.d/** rwix, |
| 54 | + /run/{,**} rwk, |
| 55 | + /dev/tty rw, |
| 56 | + |
| 57 | + # Bashio |
| 58 | + /usr/lib/bashio/** ix, |
| 59 | + /tmp/** rwk, |
| 60 | + |
| 61 | + # Access to options.json and other files within your addon |
| 62 | + /data/** rw, |
| 63 | + |
| 64 | + # Access to mapped volumes specified in config.json |
| 65 | + /share/** rw, |
| 66 | + |
| 67 | + |
| 68 | + # ### |
| 69 | + # included from https://gist.github.com/disconnect3d/d578af68b09ab56db657854ec03879aa |
| 70 | + # (docker-default profile which would usually be used for this container) |
| 71 | + # ### |
| 72 | + signal (receive) peer=unconfined, |
| 73 | + signal (send,receive) peer=docker-default, |
| 74 | + |
| 75 | + deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir) |
| 76 | + # deny write to files not in /proc/<number>/** or /proc/sys/** |
| 77 | + deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w, |
| 78 | + deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel) |
| 79 | + deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/ |
| 80 | + deny @{PROC}/sysrq-trigger rwklx, |
| 81 | + deny @{PROC}/kcore rwklx, |
| 82 | + |
| 83 | + deny mount, |
| 84 | + |
| 85 | + deny /sys/[^f]*/** wklx, |
| 86 | + deny /sys/f[^s]*/** wklx, |
| 87 | + deny /sys/fs/[^c]*/** wklx, |
| 88 | + deny /sys/fs/c[^g]*/** wklx, |
| 89 | + deny /sys/fs/cg[^r]*/** wklx, |
| 90 | + deny /sys/firmware/** rwklx, |
| 91 | + deny /sys/kernel/security/** rwklx, |
| 92 | + |
| 93 | + |
| 94 | + # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container |
| 95 | + ptrace (trace,read) peer=docker-default, |
| 96 | +} |
0 commit comments