71 lines
1.2 KiB
Plaintext
71 lines
1.2 KiB
Plaintext
#include <tunables/global>
|
|
|
|
profile hassio-supervisor flags=(attach_disconnected,mediate_deleted) {
|
|
#include <abstractions/base>
|
|
#include <abstractions/python>
|
|
|
|
network,
|
|
deny network raw,
|
|
|
|
/bin/busybox ix,
|
|
/usr/bin/python{,3,3.[0-9]} ix,
|
|
/usr/bin/git cx,
|
|
/usr/bin/socat cx,
|
|
/usr/bin/gdbus cx,
|
|
|
|
deny /proc/** wl,
|
|
deny /root/** wl,
|
|
deny /sys/** wl,
|
|
|
|
/** r,
|
|
/data/** rw,
|
|
/{,var/}run/docker.sock rw,
|
|
|
|
capability net_bind_service,
|
|
|
|
profile /usr/bin/socat {
|
|
#include <abstractions/base>
|
|
|
|
network inet udp,
|
|
network inet tcp,
|
|
|
|
deny network raw,
|
|
deny network packet,
|
|
|
|
/usr/bin/socat mr,
|
|
/lib/* mr,
|
|
|
|
capability net_bind_service,
|
|
}
|
|
|
|
profile /usr/bin/gdbus {
|
|
#include <abstractions/base>
|
|
#include <abstractions/dbus>
|
|
|
|
/usr/bin/gdbus mr,
|
|
/lib/* mr,
|
|
|
|
/{,var/}run/dbus/system_bus_socket rw,
|
|
}
|
|
|
|
profile /usr/bin/git {
|
|
#include <abstractions/base>
|
|
|
|
network,
|
|
deny network raw,
|
|
|
|
/bin/busybox ix,
|
|
/usr/bin/git mr,
|
|
/usr/libexec/git-core/* ix,
|
|
|
|
deny /data/homeassistant rw,
|
|
deny /data/ssl rw,
|
|
|
|
/lib/* mr,
|
|
/** r,
|
|
/data/addons/** rw,
|
|
|
|
capability dac_override
|
|
}
|
|
}
|