deny /usr/sbin/ldconfig rix,

Kicksecure · Aug 22, 2021 · 23a2420 · 23a2420
1 parent 3729e1f
commit 23a2420
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/etc/apparmor.d/abstractions/url_to_unixtime b/etc/apparmor.d/abstractions/url_to_unixtime
@@ -20,3 +20,6 @@
   deny /sbin/** rwx,
   deny @{PROC}/** r,
   deny /usr/bin/python3.9 r,
+  ## Related to compilation to byte code?
+  ## AVC apparmor="DENIED" operation="exec" profile="/usr/bin/sdwdate" name="/usr/sbin/ldconfig" comm="sdwdate" requested_mask="x" denied_mask="x"
+  deny /usr/sbin/ldconfig rix,
diff --git a/etc/apparmor.d/usr.bin.sdwdate b/etc/apparmor.d/usr.bin.sdwdate
@@ -64,6 +64,10 @@
   deny /run/sdwdate/forbidden-temp/** rwmkl,
   ## This might get better once apparmor no new privs issue is resolved.
 
+  ## Related to compilation to byte code?
+  ## AVC apparmor="DENIED" operation="exec" profile="/usr/bin/sdwdate" name="/usr/sbin/ldconfig" comm="sdwdate" requested_mask="x" denied_mask="x"
+  deny /usr/sbin/ldconfig rix,
+
   ## TODO
   /usr/sbin/anondate-get rUx,
   ## Not implemented.