Commit cfc685cf authored by Simon McVittie's avatar Simon McVittie

AppArmor: Give logind broad read access to API filesystems

systemd is frequently an early adopter of new kernel APIs, so it seems
likely that systemd-logind will use more pseudo-files in these
virtual filesystems over time. We are mainly confining systemd-logind
for identification rather than enforcement, and we're about to make
its profile enforcing to avoid having to make it a special exception,
so we might as well widen these to avoid future bugs.
Signed-off-by: Simon McVittie's avatarSimon McVittie <>
Reviewed-by: Emanuele Aina's avatarEmanuele Aina <>
Differential Revision:
parent a10a6f09
......@@ -36,10 +36,7 @@
/dev/tty* rw,
/etc/systemd/logind.conf r,
/etc/udev/udev.conf r,
/proc/@{pid}/* r,
/proc/cmdline r,
/proc/sys/kernel/pid_max r,
/proc/sys/kernel/random/boot_id r,
/proc/** r,
/run/systemd/notify w,
/run/systemd/seats/{,*} rw,
/run/systemd/sessions/{,*} rw,
......@@ -47,11 +44,5 @@
/run/udev/** r,
/run/user/*/ w,
/var/lib/systemd/linger/{,**} r,
/sys/bus/ r,
/sys/class/ r,
/sys/class/drm/ r,
/sys/devices/**/uevent r,
/sys/devices/virtual/tty/** r,
/sys/firmware/efi/efivars/OsIndicationsSupported-* r,
/sys/fs/cgroup/** r,
/sys/** r,
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment