apparmor

Whonix · Jul 9, 2023 · 6e13598 · 6e13598
1 parent 2f08794
commit 6e13598
Showing 1 changed file with 12 additions and 20 deletions.
diff --git a/etc/apparmor.d/usr.sbin.kloak b/etc/apparmor.d/usr.sbin.kloak
@@ -1,34 +1,26 @@
-## Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-#include <tunables/global>
+# Last Modified: Sun Jul  9 11:20:59 2023
+include <tunables/global>
 
 /usr/sbin/kloak {
-  ## This allows unconfined processes to send kloak the
-  ## SIGCONT, SIGKILL and SIGTERM signals which is needed
-  ## for systemd to start/stop/restart kloak.
-  ##
-  ## https://github.com/vmonaco/kloak/issues/21
-  ## https://forums.whonix.org/t/current-state-of-kloak/5605/10
-
-  ## https://forums.whonix.org/t/current-state-of-kloak/5605/19
-  ptrace readby,
+  include <local/usr.sbin.kloak>
 
   signal receive set=cont peer=unconfined,
   signal receive set=exists peer=unconfined,
   signal receive set=kill peer=unconfined,
   signal receive set=term peer=unconfined,
 
-  /usr/sbin/kloak                   mr,
-
-  owner /dev/input/event*           r,
-  owner /dev/uinput                 rw,
-  owner /sys/devices/virtual/input/input* r,
-
-  /etc/ld.so.cache                  r,
-  /etc/ld.so.preload                r,
+  ptrace readby,
 
-  /{,usr/}lib{,32,64}/**            mr,
+  /etc/ld.so.cache r,
+  /etc/ld.so.preload r,
+  /usr/sbin/kloak mr,
+  /{,usr/}lib{,32,64}/** mr,
+  owner /dev/input/event* r,
+  owner /dev/uinput rw,
+  owner /sys/devices/virtual/input/** r,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.sbin.kloak>